Result Details
Verify File Hashes with RPMxccdf_org.ssgproject.content_rule_rpm_verify_hashes highCCE-80857-6
Verify File Hashes with RPM
| Rule ID | xccdf_org.ssgproject.content_rule_rpm_verify_hashes |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-rpm_verify_hashes:def:1 |
| Time | 2023-11-02T08:32:06+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80857-6 References:
6.1.1, 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 |
| Description | Without cryptographic integrity protections, system
executables and files can be altered by unauthorized users without
detection.
The RPM package management system can check the hashes of
installed software packages, including many that are important to system
security.
To verify that the cryptographic hash of system files and commands matches vendor
values, run the following command to list which files on the system
have hashes that differ from what is expected by the RPM database:
$ rpm -Va --noconfig | grep '^..5'
A "c" in the second column indicates that a file is a configuration file, which
may appropriately be expected to change. If the file was not expected to
change, investigate the cause of the change using audit logs or other means.
The package can then be reinstalled to restore the file.
Run the following command to determine which package owns the file:
$ rpm -qf FILENAME
The package can be reinstalled from a yum repository using the command:
$ sudo yum reinstall PACKAGENAME
Alternatively, the package can be reinstalled from trusted media using the command:
$ sudo rpm -Uvh PACKAGENAME |
| Rationale | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. |
OVAL test results detailsverify file md5 hashes
oval:ssg-test_files_fail_md5_hash:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_files_fail_md5_hash:obj:1 of type
rpmverifyfile_object
| Behaviors | Name | Epoch | Version | Release | Arch | Filepath | Filter |
|---|
| no value | .* | .* | .* | .* | .* | ^/(bin|sbin|lib|lib64|usr)/.+$ | oval:ssg-state_files_fail_md5_hash:ste:1 |
Verify and Correct File Permissions with RPMxccdf_org.ssgproject.content_rule_rpm_verify_permissions highCCE-80858-4
Verify and Correct File Permissions with RPM
| Rule ID | xccdf_org.ssgproject.content_rule_rpm_verify_permissions |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-rpm_verify_permissions:def:1 |
| Time | 2023-11-02T08:32:20+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80858-4 References:
1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 |
| Description | The RPM package management system can check file access permissions
of installed software packages, including many that are important
to system security.
Verify that the file permissions of system files
and commands match vendor values. Check the file permissions
with the following command:
$ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
Output indicates files that do not match vendor defaults.
After locating a file with incorrect permissions,
run the following command to determine which package owns it:
$ rpm -qf FILENAME
Next, run the following command to reset its permissions to
the correct values:
$ sudo rpm --setperms PACKAGENAME |
| Rationale | Permissions on system binaries and configuration files that are too generous
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. |
| Warnings | warning
Profiles may require that specific files have stricter file permissions than defined by the
vendor.
Such files will be reported as a finding and need to be evaluated according to your policy
and deployment environment. |
OVAL test results detailsmode of all files matches local rpm database
oval:ssg-test_verify_all_rpms_mode:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_files_fail_mode:obj:1 of type
rpmverifyfile_object
| Behaviors | Name | Epoch | Version | Release | Arch | Filepath | Filter |
|---|
| no value | .* | .* | .* | .* | .* | .* | oval:ssg-state_files_fail_mode:ste:1 |
Configure System Cryptography Policyxccdf_org.ssgproject.content_rule_configure_crypto_policy highCCE-80935-0
Configure System Cryptography Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_crypto_policy:def:1 |
| Time | 2023-11-02T08:32:20+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80935-0 References:
1.10, 1.11, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, SV-230223r877398_rule |
| Description | To configure the system cryptography policy to use ciphers only from the FIPS
policy, run the following command:
$ sudo update-crypto-policies --set FIPS
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon. |
| Rationale | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
|
|
|
OVAL test results detailscheck for crypto policy correctly configured in /etc/crypto-policies/config
oval:ssg-test_configure_crypto_policy:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/crypto-policies/config | DEFAULT |
check for crypto policy correctly configured in /etc/crypto-policies/state/current
oval:ssg-test_configure_crypto_policy_current:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/crypto-policies/state/current | DEFAULT |
Check if update-crypto-policies has been run
oval:ssg-test_crypto_policies_updated:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 | 1684905304 |
Check if /etc/crypto-policies/back-ends/nss.config exists
oval:ssg-test_crypto_policy_nss_config:tst:1
true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|
| /etc/crypto-policies/back-ends/nss.config | regular | 0 | 0 | 452 | rw-r--r-- |
Configure SSH to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy mediumCCE-80939-2
Configure SSH to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_ssh_crypto_policy:def:1 |
| Time | 2023-11-02T08:32:20+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80939-2 References:
5.2.14, CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, RHEL-08-010287, SV-244526r877394_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
SSH is supported by crypto policy, but the SSH configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. |
| Rationale | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. |
|
|
OVAL test results detailsCheck that the SSH configuration mandates usage of system-wide crypto policies.
oval:ssg-test_configure_ssh_crypto_policy:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysconfig/sshd | ^\s*(?i)CRYPTO_POLICY\s*=.*$ | 1 |
Encrypt Partitionsxccdf_org.ssgproject.content_rule_encrypt_partitions highCCE-80789-1
Encrypt Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_encrypt_partitions |
| Result | |
| Multi-check rule | no |
| Time | 2023-11-02T08:32:20+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80789-1 References:
13, 14, APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS05.04, DSS05.07, DSS06.02, DSS06.06, 3.13.16, CCI-001199, CCI-002475, CCI-002476, 164.308(a)(1)(ii)(D), 164.308(b)(1), 164.310(d), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.314(b)(2)(i), 164.312(d), SR 3.4, SR 4.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), SC-28, SC-28(1), SC-13, AU-9(3), PR.DS-1, PR.DS-5, SRG-OS-000405-GPOS-00184, SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, RHEL-08-010030, SV-230224r917864_rule |
| Description | Red Hat Enterprise Linux 8 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
For manual installations, select the Encrypt checkbox during
partition creation to encrypt the partition. When this
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.
For automated/unattended installations, it is possible to use Kickstart by adding
the --encrypted and --passphrase= options to the definition of each partition to be
encrypted. For example, the following line would encrypt the root partition:
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart
must then be protected accordingly.
Omitting the --passphrase= option from the partition definition will cause the
installer to pause and interactively ask for the passphrase during installation.
By default, the Anaconda installer uses aes-xts-plain64 cipher
with a minimum 512 bit key size which should be compatible with FIPS enabled.
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
the Red Hat Enterprise Linux 8 Documentation web site:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening
. |
| Rationale | The risk of a system's physical compromise, particularly mobile systems such as
laptops, places its data at risk of compromise. Encrypting this data mitigates
the risk of its loss if the system is lost. |
Evaluation messagesinfo
No candidate or applicable check found. |
Require Credential Prompting for Remote Access in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt mediumCCE-80772-7
Require Credential Prompting for Remote Access in GNOME3
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt |
| Result | |
| Multi-check rule | no |
| Time | 2023-11-02T08:32:20+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80772-7 References:
3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) |
| Description | By default, GNOME does not require credentials when using Vino for
remote access. To configure the system to require remote credentials, add or set
authentication-methods to ['vnc'] in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/Vino]
authentication-methods=['vnc']
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. |
| Rationale | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. |
Require Encryption for Remote Access in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption mediumCCE-80773-5
Require Encryption for Remote Access in GNOME3
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption |
| Result | |
| Multi-check rule | no |
| Time | 2023-11-02T08:32:20+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80773-5 References:
1, 11, 12, 13, 15, 16, 18, 20, 3, 4, 6, 9, BAI03.08, BAI07.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS03.01, 3.1.13, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 7.6, A.12.1.1, A.12.1.2, A.12.1.4, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), AC-17(a), AC-17(2), DE.AE-1, PR.DS-7, PR.IP-1, SRG-OS-000480-GPOS-00227 |
| Description | By default, GNOME requires encryption when using Vino for remote access.
To prevent remote access encryption from being disabled, add or set
require-encryption to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/Vino]
require-encryption=true
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/require-encryption
After the settings have been set, run dconf update. |
| Rationale | Open X displays allow an attacker to capture keystrokes and to execute commands
remotely. |
Make sure that the dconf databases are up-to-date with regards to respective keyfilesxccdf_org.ssgproject.content_rule_dconf_db_up_to_date highCCE-81003-6
Make sure that the dconf databases are up-to-date with regards to respective keyfiles
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date |
| Result | |
| Multi-check rule | no |
| Time | 2023-11-02T08:32:20+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-81003-6 References:
1.8.2, 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, 6.3.3, SRG-OS-000480-GPOS-00227 |
| Description | By default, DConf uses a binary database as a data backend.
The system-level database is compiled from keyfiles in the /etc/dconf/db/
directory by the dconf update command. More specifically, content present
in the following directories:
/etc/dconf/db/gdm.d
/etc/dconf/db/local.d |
| Rationale | Unlike text-based keyfiles, the binary database is impossible to check by OVAL.
Therefore, in order to evaluate dconf configuration, both have to be true at the same time -
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. |
Ensure gpgcheck Enabled In Main yum Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated highCCE-80790-9
Ensure gpgcheck Enabled In Main yum Configuration
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_gpgcheck_globally_activated:def:1 |
| Time | 2023-11-02T08:32:20+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80790-9 References:
BP28(R15), 1.2.3, 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, RHEL-08-010370, SV-230264r880711_rule |
| Description | The gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure yum to check package signatures before installing
them, ensure the following line appears in /etc/yum.conf in
the [main] section:
gpgcheck=1 |
| Rationale | Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system
components must be signed with a certificate recognized and approved by the
organization.
Verifying the authenticity of the software prior to installation
validates the integrity of the patch or upgrade received from a vendor.
This ensures the software has not been tampered with and that it has been
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). |
OVAL test results detailscheck value of gpgcheck in /etc/yum.conf
oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/yum.conf | gpgcheck=1 |
Ensure gpgcheck Enabled for Local Packagesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages highCCE-80791-7
Ensure gpgcheck Enabled for Local Packages
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_gpgcheck_local_packages:def:1 |
| Time | 2023-11-02T08:32:20+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80791-7 References:
BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, RHEL-08-010371, SV-230265r877463_rule |
| Description | yum should be configured to verify the signature(s) of local packages
prior to installation. To configure yum to verify signatures of local
packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
|
| Rationale | Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must
be signed with a certificate recognized and approved by the organization. |
OVAL test results detailscheck value of localpkg_gpgcheck in /etc/yum.conf
oval:ssg-test_yum_ensure_gpgcheck_local_packages:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/yum.conf | localpkg_gpgcheck=1
|
Ensure gpgcheck Enabled for All yum Package Repositoriesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled highCCE-80792-5
Ensure gpgcheck Enabled for All yum Package Repositories
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_gpgcheck_never_disabled:def:1 |
| Time | 2023-11-02T08:32:20+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80792-5 References:
BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, RHEL-08-010370, SV-230264r880711_rule |
| Description | To ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0 |
| Rationale | Verifying the authenticity of the software prior to installation validates
the integrity of the patch or upgrade received from a vendor. This ensures
the software has not been tampered with and that it has been provided by a
trusted vendor. Self-signed certificates are disallowed by this
requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA)." |
OVAL test results detailscheck for existence of gpgcheck=0 in /etc/yum.repos.d/ files
oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/yum.repos.d | .* | ^\s*gpgcheck\s*=\s*0\s*$ | 1 |
Ensure Red Hat GPG Key Installedxccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed highCCE-80795-8
Ensure Red Hat GPG Key Installed
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_redhat_gpgkey_installed:def:1 |
| Time | 2023-11-02T08:32:20+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80795-8 References:
BP28(R15), 1.2.2, 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, RHEL-08-010019, SV-256973r902752_rule |
| Description | To ensure the system can cryptographically verify base software packages
come from Red Hat (and to connect to the Red Hat Network to receive them),
the Red Hat GPG key must properly be installed. To install the Red Hat GPG
key, run:
$ sudo subscription-manager register
If the system is not connected to the Internet or an RHN Satellite, then
install the Red Hat GPG key from trusted media such as the Red Hat
installation CD-ROM or DVD. Assuming the disc is mounted in
/media/cdrom, use the following command as the root user to import
it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
Alternatively, the key may be pre-loaded during the RHEL installation. In
such cases, the key can be installed by running the following command:
sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release |
| Rationale | Changes to software components can have significant effects on the overall
security of the operating system. This requirement ensures the software has
not been tampered with and that it has been provided by a trusted vendor.
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. |
OVAL test results detailsinstalled OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| redhat-release | x86_64 | (none) | 0.8.el8 | 8.8 | 0:8.8-0.8.el8 | 199e2f91fd431d51 | redhat-release-0:8.8-0.8.el8.x86_64 |
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| redhat-release | x86_64 | (none) | 0.8.el8 | 8.8 | 0:8.8-0.8.el8 | 199e2f91fd431d51 | redhat-release-0:8.8-0.8.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| redhat-release | x86_64 | (none) | 0.8.el8 | 8.8 | 0:8.8-0.8.el8 | 199e2f91fd431d51 | redhat-release-0:8.8-0.8.el8.x86_64 |
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| redhat-release | x86_64 | (none) | 0.8.el8 | 8.8 | 0:8.8-0.8.el8 | 199e2f91fd431d51 | redhat-release-0:8.8-0.8.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
Red Hat release key package is installed
oval:ssg-test_package_gpgkey-fd431d51-4ae0493b_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| gpg-pubkey | (none) | (none) | 5631588c | be1229cf | 0:be1229cf-5631588c | 0 | gpg-pubkey-0:be1229cf-5631588c.(none) |
| gpg-pubkey | (none) | (none) | 4ae0493b | fd431d51 | 0:fd431d51-4ae0493b | 0 | gpg-pubkey-0:fd431d51-4ae0493b.(none) |
| gpg-pubkey | (none) | (none) | 5b32db75 | d4082792 | 0:d4082792-5b32db75 | 0 | gpg-pubkey-0:d4082792-5b32db75.(none) |
Red Hat auxiliary key package is installed
oval:ssg-test_package_gpgkey-d4082792-5b32db75_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| gpg-pubkey | (none) | (none) | 5631588c | be1229cf | 0:be1229cf-5631588c | 0 | gpg-pubkey-0:be1229cf-5631588c.(none) |
| gpg-pubkey | (none) | (none) | 4ae0493b | fd431d51 | 0:fd431d51-4ae0493b | 0 | gpg-pubkey-0:fd431d51-4ae0493b.(none) |
| gpg-pubkey | (none) | (none) | 5b32db75 | d4082792 | 0:d4082792-5b32db75 | 0 | gpg-pubkey-0:d4082792-5b32db75.(none) |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type
family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type
family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Check os-release ID
oval:ssg-test_centos8_name:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_name_centos8:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^ID="(\w+)"$ | 1 |
Check os-release ID
oval:ssg-test_centos8_name:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/os-release | ID="rhel" |
Check os-release VERSION_ID
oval:ssg-test_centos8_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^VERSION_ID="(\d)"$ | 1 |
Check os-release VERSION_ID
oval:ssg-test_centos8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^VERSION_ID="(\d)"$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type
family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type
family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Check os-release ID
oval:ssg-test_centos8_name:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_name_centos8:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^ID="(\w+)"$ | 1 |
Check os-release ID
oval:ssg-test_centos8_name:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/os-release | ID="rhel" |
Check os-release VERSION_ID
oval:ssg-test_centos8_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^VERSION_ID="(\d)"$ | 1 |
Check os-release VERSION_ID
oval:ssg-test_centos8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^VERSION_ID="(\d)"$ | 1 |
CentOS8 key package is installed
oval:ssg-test_package_gpgkey-8483c65d-5ccc5b19_installed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| gpg-pubkey | (none) | (none) | 5631588c | be1229cf | 0:be1229cf-5631588c | 0 | gpg-pubkey-0:be1229cf-5631588c.(none) |
| gpg-pubkey | (none) | (none) | 4ae0493b | fd431d51 | 0:fd431d51-4ae0493b | 0 | gpg-pubkey-0:fd431d51-4ae0493b.(none) |
| gpg-pubkey | (none) | (none) | 5b32db75 | d4082792 | 0:d4082792-5b32db75 | 0 | gpg-pubkey-0:d4082792-5b32db75.(none) |
Disable debug-shell SystemD Servicexccdf_org.ssgproject.content_rule_service_debug-shell_disabled mediumCCE-80876-6
Disable debug-shell SystemD Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_debug-shell_disabled:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80876-6 References:
3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), CM-6, FIA_UAU.1, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, RHEL-08-040180, SV-230532r627750_rule |
| Description | SystemD's debug-shell service is intended to
diagnose SystemD related boot issues with various systemctl
commands. Once enabled and following a system reboot, the root shell
will be available on tty9 which is access by pressing
CTRL-ALT-F9. The debug-shell service should only be used
for SystemD related issues and should otherwise be disabled.
By default, the debug-shell SystemD service is already disabled.
The debug-shell service can be disabled with the following command:
$ sudo systemctl mask --now debug-shell.service |
| Rationale | This prevents attackers with physical access from trivially bypassing security
on the machine through valid troubleshooting configurations and gaining root
access when the system is rebooted. |
|
|
|
|
|
OVAL test results detailspackage systemd is removed
oval:ssg-test_service_debug-shell_package_systemd_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| systemd | x86_64 | (none) | 74.el8_8.5 | 239 | 0:239-74.el8_8.5 | 199e2f91fd431d51 | systemd-0:239-74.el8_8.5.x86_64 |
Test that the debug-shell service is not running
oval:ssg-test_service_not_running_debug-shell:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| debug-shell.service | ActiveState | inactive |
Test that the property LoadState from the service debug-shell is masked
oval:ssg-test_service_loadstate_is_masked_debug-shell:tst:1
false
Following items have been found on the system:
| Unit | Property | Value |
|---|
| debug-shell.service | LoadState | loaded |
Disable Ctrl-Alt-Del Burst Actionxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction highCCE-80784-2
Disable Ctrl-Alt-Del Burst Action
| Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disable_ctrlaltdel_burstaction:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80784-2 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), CM-6(a), PR.AC-4, PR.DS-5, FAU_GEN.1.2, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, RHEL-08-040172, SV-230531r627750_rule |
| Description | By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.
To configure the system to ignore the CtrlAltDelBurstAction
setting, add or modify the following to /etc/systemd/system.conf:
CtrlAltDelBurstAction=none |
| Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot. |
| Warnings | warning
Disabling the Ctrl-Alt-Del key sequence
in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del
key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The
Ctrl-Alt-Del key sequence will only be disabled if running in
the non-graphical runlevel 3. |
|
|
|
OVAL test results detailscheck if CtrlAltDelBurstAction is set to none
oval:ssg-test_disable_ctrlaltdel_burstaction:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_ctrlaltdel_burstaction:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/systemd/system.conf(\.d/.*\.conf)?$ | ^[\s]*CtrlAltDelBurstAction[\s]*=[\s]*none$ | 1 |
Disable Ctrl-Alt-Del Reboot Activationxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot highCCE-80785-9
Disable Ctrl-Alt-Del Reboot Activation
| Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disable_ctrlaltdel_reboot:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80785-9 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, FAU_GEN.1.2, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, RHEL-08-040170, SV-230529r833338_rule |
| Description | By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence from the
command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target
Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file,
as this file may be restored during future system updates. |
| Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot. |
|
|
|
OVAL test results detailsDisable Ctrl-Alt-Del key sequence override exists
oval:ssg-test_disable_ctrlaltdel_exists:tst:1
false
Following items have been found on the system:
| Filepath | Canonical path |
|---|
| /etc/systemd/system/ctrl-alt-del.target | /usr/lib/systemd/system/reboot.target |
Verify that Interactive Boot is Disabledxccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot mediumCCE-80826-1
Verify that Interactive Boot is Disabled
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_disable_interactive_boot:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80826-1 References:
11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.2, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, SC-2(1), CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000480-GPOS-00227 |
| Description | Red Hat Enterprise Linux 8 systems support an "interactive boot" option that can
be used to prevent services from being started. On a Red Hat Enterprise Linux 8
system, interactive boot can be enabled by providing a 1,
yes, true, or on value to the
systemd.confirm_spawn kernel argument in /etc/default/grub.
Remove any instance of systemd.confirm_spawn=(1|yes|true|on) from
the kernel arguments in that file to disable interactive boot.
Recovery booting must also be disabled. Confirm that
GRUB_DISABLE_RECOVERY=true is set in /etc/default/grub.
It is also required to change the runtime configuration, run:
/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"
grub2-mkconfig -o /boot/grub2/grub.cfg |
| Rationale | Using interactive or recovery boot, the console user could disable auditing, firewalls,
or other services, weakening system security. |
OVAL test results detailsCheck systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX
oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/default/grub | ^\s*GRUB_CMDLINE_LINUX="(?:.*\s)?systemd\.confirm_spawn(?:=(?:1|yes|true|on))?(?:\s.*)?"$ | 1 |
Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX_DEFAULT
oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux_default:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux_default:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/default/grub | ^\s*GRUB_CMDLINE_LINUX_DEFAULT=".*systemd\.confirm_spawn=(?:1|yes|true|on).*$ | 1 |
Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub
oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/default/grub | GRUB_DISABLE_RECOVERY="true" |
Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth mediumCCE-80855-0
Require Authentication for Single User Mode
| Rule ID | xccdf_org.ssgproject.content_rule_require_singleuser_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-require_singleuser_auth:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80855-0 References:
1.4.3, 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010151, SV-230236r743928_rule |
| Description | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup.
By default, single-user mode is protected by requiring a password and is set
in /usr/lib/systemd/system/rescue.service. |
| Rationale | This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password. |
OVAL test results detailsTests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode
oval:ssg-test_require_rescue_service:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/rescue.service | ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue |
Prevent Login to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords highCCE-80841-0
Prevent Login to Accounts With Empty Password
| Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_empty_passwords:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80841-0 References:
5.4.1, 1, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(1)(a), IA-5(c), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, FIA_UAU.1, Req-8.2.3, 8.3.6, 8.3.9, SRG-OS-000480-GPOS-00227, RHEL-08-020331, SV-244540r743869_rule |
| Description | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the
nullok in
/etc/pam.d/system-auth and
/etc/pam.d/password-auth
to prevent logins with empty passwords. |
| Rationale | If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
Note that this rule is not applicable for systems running within a
container. Having user with empty password within a container is not
considered a risk, because it should not be possible to directly login into
a container anyway. |
|
|
|
OVAL test results detailsmake sure nullok is not used in /etc/pam.d/system-auth
oval:ssg-test_no_empty_passwords:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth |
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent
auth sufficient pam_unix.so nullok
auth required pam_faillock.so authfail
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
password requisite pam_pwquality.so
password [default=1 ignore=ignore success=ok] pam_localuser.so
password requisite pam_pwhistory.so use_authtok
password sufficient pam_unix.so sha512 shadow nullok use_authtok |
| /etc/pam.d/system-auth |
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent
auth sufficient pam_unix.so nullok
auth required pam_faillock.so authfail
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
password requisite pam_pwquality.so
password [default=1 ignore=ignore success=ok] pam_localuser.so
password requisite pam_pwhistory.so use_authtok
password sufficient pam_unix.so sha512 shadow nullok use_authtok |
Direct root Logins Not Allowedxccdf_org.ssgproject.content_rule_no_direct_root_logins mediumCCE-80840-2
Direct root Logins Not Allowed
| Rule ID | xccdf_org.ssgproject.content_rule_no_direct_root_logins |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_direct_root_logins:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80840-2 References:
BP28(R19), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.1, 3.1.6, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, 8.6.1 |
| Description | To further limit access to the root account, administrators
can disable root logins at the console by editing the /etc/securetty file.
This file lists all devices the root user is allowed to login to. If the file does
not exist at all, the root user can login through any communication device on the
system, whether via the console or via a raw network interface. This is dangerous
as user can login to the system as root via Telnet, which sends the password in
plain text over the network. By default, Red Hat Enterprise Linux 8's
/etc/securetty file only allows the root user to login at the console
physically attached to the system. To prevent root from logging in, remove the
contents of this file. To prevent direct root logins, remove the contents of this
file by typing the following command:
$ sudo echo > /etc/securetty
|
| Rationale | Disabling direct root logins ensures proper accountability and multifactor
authentication to privileged accounts. Users will first login, then escalate
to privileged (root) access via su / sudo. This is required for FISMA Low
and FISMA Moderate systems. |
| Warnings | warning
This rule only checks the /etc/securetty file existence and its content.
If you need to restrict user access using the /etc/securetty file, make sure
the pam_securetty.so PAM module is properly enabled in relevant PAM files. |
|
|
|
OVAL test results detailsno entries in /etc/securetty
oval:ssg-test_no_direct_root_logins:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_direct_root_logins:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/securetty | ^$ | 1 |
/etc/securetty file exists
oval:ssg-test_etc_securetty_exists:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_securetty_exists:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/securetty | ^.*$ | 1 |
Restrict Serial Port Root Loginsxccdf_org.ssgproject.content_rule_restrict_serial_port_logins mediumCCE-80856-8
Restrict Serial Port Root Logins
| Rule ID | xccdf_org.ssgproject.content_rule_restrict_serial_port_logins |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-restrict_serial_port_logins:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80856-8 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.1, 3.1.5, CCI-000770, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6, CM-6(a), PR.AC-4, PR.DS-5 |
| Description | To restrict root logins on serial ports,
ensure lines of this form do not appear in /etc/securetty:
ttyS0
ttyS1 |
| Rationale | Preventing direct root login to serial port interfaces
helps ensure accountability for actions taken on the systems
using the root account. |
OVAL test results detailsserial ports /etc/securetty
oval:ssg-test_serial_ports_etc_securetty:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_serial_ports_etc_securetty:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/securetty | ^ttyS[0-9]+$ | 1 |
Restrict Virtual Console Root Loginsxccdf_org.ssgproject.content_rule_securetty_root_login_console_only mediumCCE-80864-2
Restrict Virtual Console Root Logins
| Rule ID | xccdf_org.ssgproject.content_rule_securetty_root_login_console_only |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-securetty_root_login_console_only:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80864-2 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.1, 3.1.5, CCI-000770, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6, CM-6(a), PR.AC-4, PR.DS-5, 8.6.1, SRG-OS-000324-GPOS-00125 |
| Description | To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in /etc/securetty:
vc/1
vc/2
vc/3
vc/4 |
| Rationale | Preventing direct root login to virtual console devices
helps ensure accountability for actions taken on the system
using the root account. |
OVAL test results detailsvirtual consoles /etc/securetty
oval:ssg-test_virtual_consoles_etc_securetty:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_virtual_consoles_etc_securetty:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/securetty | ^vc/[0-9]+$ | 1 |
Enable authselectxccdf_org.ssgproject.content_rule_enable_authselect mediumCCE-88248-0
Enable authselect
| Rule ID | xccdf_org.ssgproject.content_rule_enable_authselect |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-enable_authselect:def:1 |
| Time | 2023-11-02T08:32:20+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-88248-0 References:
BP28(R31), 1.2.3, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), AC-3, FIA_UAU.1, FIA_AFL.1, SRG-OS-000480-GPOS-00227 |
| Description | Configure user authentication setup to use the authselect tool.
If authselect profile is selected, the rule will enable the sssd profile. |
| Rationale | Authselect is a successor to authconfig.
It is a tool to select system authentication and identity sources from a list of supported
profiles instead of letting the administrator manually build the PAM stack.
That way, it avoids potential breakage of configuration, as it ships several tested profiles
that are well tested and supported to solve different use-cases. |
| Warnings | warning
If the sudo authselect select command returns an error informing that the chosen
profile cannot be selected, it is probably because PAM files have already been modified by
the administrator. If this is the case, in order to not overwrite the desired changes made
by the administrator, the current PAM settings should be investigated before forcing the
selection of the chosen authselect profile. |
OVAL test results detailsThe 'fingerprint-auth' PAM config is a symlink to its authselect counterpart
oval:ssg-test_pam_fingerprint_symlinked_to_authselect:tst:1
true
Following items have been found on the system:
| Filepath | Canonical path |
|---|
| /etc/pam.d/fingerprint-auth | /etc/authselect/fingerprint-auth |
The 'password-auth' PAM config is a symlink to its authselect counterpart
oval:ssg-test_pam_password_symlinked_to_authselect:tst:1
true
Following items have been found on the system:
| Filepath | Canonical path |
|---|
| /etc/pam.d/password-auth | /etc/authselect/password-auth |
The 'postlogin' PAM config is a symlink to its authselect counterpart
oval:ssg-test_pam_postlogin_symlinked_to_authselect:tst:1
true
Following items have been found on the system:
| Filepath | Canonical path |
|---|
| /etc/pam.d/postlogin | /etc/authselect/postlogin |
The 'smartcard-auth' PAM config is a symlink to its authselect counterpart
oval:ssg-test_pam_smartcard_symlinked_to_authselect:tst:1
true
Following items have been found on the system:
| Filepath | Canonical path |
|---|
| /etc/pam.d/smartcard-auth | /etc/authselect/smartcard-auth |
The 'system-auth' PAM config is a symlink to its authselect counterpart
oval:ssg-test_pam_system_symlinked_to_authselect:tst:1
true
Following items have been found on the system:
| Filepath | Canonical path |
|---|
| /etc/pam.d/system-auth | /etc/authselect/system-auth |
Record Events that Modify the System's Discretionary Access Controls - chmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod mediumCCE-80685-1
Record Events that Modify the System's Discretionary Access Controls - chmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_chmod:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80685-1 References:
BP28(R73), 4.1.3.9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, RHEL-08-030490, SV-230456r810462_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit chmod
oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit chmod
oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit chmod
oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit chmod
oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - chownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown mediumCCE-80686-9
Record Events that Modify the System's Discretionary Access Controls - chown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_chown:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80686-9 References:
BP28(R73), 4.1.3.9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, RHEL-08-030480, SV-230455r810459_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit chown
oval:ssg-test_32bit_ardm_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit chown
oval:ssg-test_64bit_ardm_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit chown
oval:ssg-test_32bit_ardm_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit chown
oval:ssg-test_64bit_ardm_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod mediumCCE-80687-7
Record Events that Modify the System's Discretionary Access Controls - fchmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchmod:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80687-7 References:
BP28(R73), 4.1.3.9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, RHEL-08-030490, SV-230456r810462_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchmod
oval:ssg-test_32bit_ardm_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit fchmod
oval:ssg-test_64bit_ardm_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchmod
oval:ssg-test_32bit_ardm_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit fchmod
oval:ssg-test_64bit_ardm_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat mediumCCE-80688-5
Record Events that Modify the System's Discretionary Access Controls - fchmodat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchmodat:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80688-5 References:
BP28(R73), 4.1.3.9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, RHEL-08-030490, SV-230456r810462_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchmodat
oval:ssg-test_32bit_ardm_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit fchmodat
oval:ssg-test_64bit_ardm_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchmodat
oval:ssg-test_32bit_ardm_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit fchmodat
oval:ssg-test_64bit_ardm_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown mediumCCE-80689-3
Record Events that Modify the System's Discretionary Access Controls - fchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchown:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80689-3 References:
BP28(R73), 4.1.3.9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, RHEL-08-030480, SV-230455r810459_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchown
oval:ssg-test_32bit_ardm_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit fchown
oval:ssg-test_64bit_ardm_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchown
oval:ssg-test_32bit_ardm_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit fchown
oval:ssg-test_64bit_ardm_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchownatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat mediumCCE-80690-1
Record Events that Modify the System's Discretionary Access Controls - fchownat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchownat:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80690-1 References:
BP28(R73), 4.1.3.9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, RHEL-08-030480, SV-230455r810459_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchownat
oval:ssg-test_32bit_ardm_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchownat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit fchownat
oval:ssg-test_64bit_ardm_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchownat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchownat
oval:ssg-test_32bit_ardm_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchownat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit fchownat
oval:ssg-test_64bit_ardm_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchownat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr mediumCCE-80691-9
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fremovexattr:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80691-9 References:
BP28(R73), 4.1.3.9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000064-GPOS-00033, RHEL-08-030200, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80691-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit fremovexattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-80691-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fremovexattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80691-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fremovexattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80691-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fremovexattr
oval:ssg-test_32bit_ardm_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit fremovexattr auid=0
oval:ssg-test_32bit_ardm_fremovexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fremovexattr
oval:ssg-test_32bit_ardm_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit fremovexattr
oval:ssg-test_32bit_ardm_fremovexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr mediumCCE-80692-7
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fsetxattr:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80692-7 References:
BP28(R73), 4.1.3.9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, RHEL-08-030200, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80692-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit fsetxattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-80692-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fsetxattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80692-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fsetxattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80692-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fsetxattr
oval:ssg-test_32bit_ardm_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit fsetxattr auid=0
oval:ssg-test_32bit_ardm_fsetxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fsetxattr
oval:ssg-test_32bit_ardm_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit fsetxattr
oval:ssg-test_32bit_ardm_fsetxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - lchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown mediumCCE-80693-5
Record Events that Modify the System's Discretionary Access Controls - lchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lchown:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80693-5 References:
BP28(R73), 4.1.3.9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, RHEL-08-030480, SV-230455r810459_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lchown
oval:ssg-test_32bit_ardm_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit lchown
oval:ssg-test_64bit_ardm_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lchown
oval:ssg-test_32bit_ardm_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit lchown
oval:ssg-test_64bit_ardm_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr mediumCCE-80694-3
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lremovexattr:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80694-3 References:
BP28(R73), 4.1.3.9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, RHEL-08-030200, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80694-3
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit lremovexattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-80694-3
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lremovexattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80694-3
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lremovexattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80694-3
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lremovexattr
oval:ssg-test_32bit_ardm_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit lremovexattr auid=0
oval:ssg-test_32bit_ardm_lremovexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lremovexattr
oval:ssg-test_32bit_ardm_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit lremovexattr
oval:ssg-test_32bit_ardm_lremovexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr mediumCCE-80695-0
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lsetxattr:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80695-0 References:
BP28(R73), 4.1.3.9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, RHEL-08-030200, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80695-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit lsetxattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-80695-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lsetxattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80695-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lsetxattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80695-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lsetxattr
oval:ssg-test_32bit_ardm_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit lsetxattr auid=0
oval:ssg-test_32bit_ardm_lsetxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lsetxattr
oval:ssg-test_32bit_ardm_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit lsetxattr
oval:ssg-test_32bit_ardm_lsetxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - removexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr mediumCCE-80696-8
Record Events that Modify the System's Discretionary Access Controls - removexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_removexattr:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80696-8 References:
BP28(R73), 4.1.3.9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, RHEL-08-030200, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80696-8
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_removexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit removexattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-80696-8
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_removexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for removexattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80696-8
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_removexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for removexattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80696-8
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_removexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit removexattr
oval:ssg-test_32bit_ardm_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit removexattr auid=0
oval:ssg-test_32bit_ardm_removexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit removexattr
oval:ssg-test_32bit_ardm_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit removexattr
oval:ssg-test_32bit_ardm_removexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - setxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr mediumCCE-80697-6
Record Events that Modify the System's Discretionary Access Controls - setxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_setxattr:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80697-6 References:
BP28(R73), 4.1.3.9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, RHEL-08-030200, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80697-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_setxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit setxattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-80697-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_setxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for setxattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80697-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_setxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for setxattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80697-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-08-030200
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_setxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit setxattr
oval:ssg-test_32bit_ardm_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit setxattr auid=0
oval:ssg-test_32bit_ardm_setxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit setxattr
oval:ssg-test_32bit_ardm_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit setxattr
oval:ssg-test_32bit_ardm_setxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run chconxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon mediumCCE-80698-4
Record Any Attempts to Run chcon
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_chcon:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80698-4 References:
4.1.3.15, 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, RHEL-08-030260, SV-230419r627750_rule |
| Description | At a minimum, the audit system should collect any execution attempt
of the chcon command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules chcon
oval:ssg-test_audit_rules_execution_chcon_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chcon_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl chcon
oval:ssg-test_audit_rules_execution_chcon_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chcon_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run restoreconxccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon mediumCCE-80699-2
Record Any Attempts to Run restorecon
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_restorecon:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80699-2 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209 |
| Description | At a minimum, the audit system should collect any execution attempt
of the restorecon command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules restorecon
oval:ssg-test_audit_rules_execution_restorecon_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_restorecon_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl restorecon
oval:ssg-test_audit_rules_execution_restorecon_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_restorecon_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run semanagexccdf_org.ssgproject.content_rule_audit_rules_execution_semanage mediumCCE-80700-8
Record Any Attempts to Run semanage
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_semanage:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80700-8 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, RHEL-08-030313, SV-230429r627750_rule |
| Description | At a minimum, the audit system should collect any execution attempt
of the semanage command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules semanage
oval:ssg-test_audit_rules_execution_semanage_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_semanage_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl semanage
oval:ssg-test_audit_rules_execution_semanage_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_semanage_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run setseboolxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool mediumCCE-80701-6
Record Any Attempts to Run setsebool
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_setsebool:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80701-6 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, RHEL-08-030316, SV-230432r627750_rule |
| Description | At a minimum, the audit system should collect any execution attempt
of the setsebool command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules setsebool
oval:ssg-test_audit_rules_execution_setsebool_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setsebool_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl setsebool
oval:ssg-test_audit_rules_execution_setsebool_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setsebool_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - renamexccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename mediumCCE-80703-2
Ensure auditd Collects File Deletion Events by User - rename
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_rename:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80703-2 References:
BP28(R73), 4.1.3.13, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, RHEL-08-030361, SV-230439r810465_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit rename
oval:ssg-test_32bit_ardm_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rename_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit rename
oval:ssg-test_64bit_ardm_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rename_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit rename
oval:ssg-test_32bit_ardm_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rename_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit rename
oval:ssg-test_64bit_ardm_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rename_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - renameatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat mediumCCE-80704-0
Ensure auditd Collects File Deletion Events by User - renameat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_renameat:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80704-0 References:
BP28(R73), 4.1.3.13, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, RHEL-08-030361, SV-230439r810465_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit renameat
oval:ssg-test_32bit_ardm_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_renameat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit renameat
oval:ssg-test_64bit_ardm_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_renameat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit renameat
oval:ssg-test_32bit_ardm_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_renameat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit renameat
oval:ssg-test_64bit_ardm_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_renameat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - rmdirxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir mediumCCE-80705-7
Ensure auditd Collects File Deletion Events by User - rmdir
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_rmdir:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80705-7 References:
BP28(R73), 4.1.14, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, RHEL-08-030361, SV-230439r810465_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit rmdir
oval:ssg-test_32bit_ardm_rmdir_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rmdir_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit rmdir
oval:ssg-test_64bit_ardm_rmdir_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rmdir_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit rmdir
oval:ssg-test_32bit_ardm_rmdir_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rmdir_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit rmdir
oval:ssg-test_64bit_ardm_rmdir_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rmdir_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - unlinkxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink mediumCCE-80706-5
Ensure auditd Collects File Deletion Events by User - unlink
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_unlink:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80706-5 References:
BP28(R73), 4.1.3.13, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, RHEL-08-030361, SV-230439r810465_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit unlink
oval:ssg-test_32bit_ardm_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlink_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit unlink
oval:ssg-test_64bit_ardm_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlink_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit unlink
oval:ssg-test_32bit_ardm_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlink_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit unlink
oval:ssg-test_64bit_ardm_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlink_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat mediumCCE-80707-3
Ensure auditd Collects File Deletion Events by User - unlinkat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_unlinkat:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80707-3 References:
BP28(R73), 4.1.3.13, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, RHEL-08-030361, SV-230439r810465_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit unlinkat
oval:ssg-test_32bit_ardm_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit unlinkat
oval:ssg-test_64bit_ardm_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit unlinkat
oval:ssg-test_32bit_ardm_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit unlinkat
oval:ssg-test_64bit_ardm_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Unsuccessful Access Attempts to Files - creatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat mediumCCE-80751-1
Record Unsuccessful Access Attempts to Files - creat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80751-1 References:
BP28(R73), 4.1.3.7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, RHEL-08-030420, SV-230449r810455_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80751-1
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit creat tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-80751-1
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for creat EACCES for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80751-1
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for creat EACCES for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80751-1
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for creat EPERM for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80751-1
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for creat EPERM for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80751-1
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_creat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_creat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_creat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_creat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_creat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_creat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_creat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_creat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - ftruncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate mediumCCE-80752-9
Record Unsuccessful Access Attempts to Files - ftruncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80752-9 References:
BP28(R73), 4.1.3.7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, RHEL-08-030420, SV-230449r810455_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80752-9
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit ftruncate tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-80752-9
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for ftruncate EACCES for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80752-9
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for ftruncate EACCES for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80752-9
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for ftruncate EPERM for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80752-9
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for ftruncate EPERM for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80752-9
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - openxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open mediumCCE-80753-7
Record Unsuccessful Access Attempts to Files - open
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80753-7 References:
BP28(R73), 4.1.3.7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, RHEL-08-030420, SV-230449r810455_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80753-7
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit open tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-80753-7
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open EACCES for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80753-7
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open EACCES for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80753-7
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open EPERM for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80753-7
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open EPERM for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80753-7
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - open_by_handle_atxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at mediumCCE-80755-2
Record Unsuccessful Access Attempts to Files - open_by_handle_at
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80755-2 References:
4.1.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, RHEL-08-030420, SV-230449r810455_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80755-2
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit open_by_handle_at tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-80755-2
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open_by_handle_at EACCES for 32bit
platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open_by_handle_at
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open_by_handle_at in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open_by_handle_at
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open_by_handle_at in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80755-2
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open_by_handle_at EACCES for 64bit
platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open_by_handle_at
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open_by_handle_at in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open_by_handle_at
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open_by_handle_at in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80755-2
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open_by_handle_at EPERM for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open_by_handle_at
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open_by_handle_at in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open_by_handle_at
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open_by_handle_at in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80755-2
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open_by_handle_at EPERM for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open_by_handle_at
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open_by_handle_at in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open_by_handle_at
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open_by_handle_at in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80755-2
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - openatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat mediumCCE-80754-5
Record Unsuccessful Access Attempts to Files - openat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80754-5 References:
BP28(R73), 4.1.3.7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, RHEL-08-030420, SV-230449r810455_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80754-5
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit openat tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-80754-5
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for openat EACCES for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80754-5
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for openat EACCES for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80754-5
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for openat EPERM for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80754-5
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for openat EPERM for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80754-5
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_openat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_openat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_openat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_openat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_openat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_openat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_openat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_openat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - truncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate mediumCCE-80756-0
Record Unsuccessful Access Attempts to Files - truncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80756-0 References:
BP28(R73), 4.1.3.7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, RHEL-08-030420, SV-230449r810455_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80756-0
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit truncate tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-80756-0
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for truncate EACCES for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80756-0
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for truncate EACCES for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80756-0
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for truncate EPERM for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80756-0
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for truncate EPERM for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80756-0
- DISA-STIG-RHEL-08-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- PCI-DSSv4-10.2.1.1
- PCI-DSSv4-10.2.1.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_truncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_truncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_truncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_truncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_truncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_truncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_truncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_truncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Ensure auditd Collects Information on Kernel Module Unloading - delete_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete mediumCCE-80711-5
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_kernel_module_loading_delete:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80711-5 References:
BP28(R73), 4.1.3.19, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, RHEL-08-030390, SV-230446r627750_rule |
| Description | To capture kernel module unloading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit delete_module
oval:ssg-test_32bit_ardm_delete_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_delete_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit delete_module
oval:ssg-test_64bit_ardm_delete_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_delete_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit delete_module
oval:ssg-test_32bit_ardm_delete_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_delete_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit delete_module
oval:ssg-test_64bit_ardm_delete_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_delete_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on Kernel Module Loading - init_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init mediumCCE-80713-1
Ensure auditd Collects Information on Kernel Module Loading - init_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_kernel_module_loading_init:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80713-1 References:
BP28(R73), 4.1.3.19, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, RHEL-08-030360, SV-230438r810464_rule |
| Description | To capture kernel module loading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The addition of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit init_module
oval:ssg-test_32bit_ardm_init_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_init_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit init_module
oval:ssg-test_64bit_ardm_init_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_init_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit init_module
oval:ssg-test_32bit_ardm_init_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_init_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit init_module
oval:ssg-test_64bit_ardm_init_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_init_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Attempts to Alter Logon and Logout Events - faillockxccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock mediumCCE-80718-0
Record Attempts to Alter Logon and Logout Events - faillock
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_login_events_faillock:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80718-0 References:
BP28(R73), 4.1.3.12, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, 10.2.1.3, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, RHEL-08-030590, SV-230466r627750_rule |
| Description | The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/faillock -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/faillock -p wa -k logins |
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules faillock
oval:ssg-test_arle_faillock_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_faillock_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/var\/log\/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl faillock
oval:ssg-test_arle_faillock_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_faillock_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+\/var\/log\/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Record Attempts to Alter Logon and Logout Events - lastlogxccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog mediumCCE-80719-8
Record Attempts to Alter Logon and Logout Events - lastlog
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_login_events_lastlog:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80719-8 References:
BP28(R73), 4.1.3.12, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, 10.2.1.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214, RHEL-08-030600, SV-230467r627750_rule |
| Description | The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins |
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules lastlog
oval:ssg-test_arle_lastlog_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_lastlog_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl lastlog
oval:ssg-test_arle_lastlog_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_lastlog_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Record Attempts to Alter Logon and Logout Events - tallylogxccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog mediumCCE-80720-6
Record Attempts to Alter Logon and Logout Events - tallylog
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_login_events_tallylog:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80720-6 References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, CCI-000126, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, 10.2.1.3, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218 |
| Description | The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins |
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules tallylog
oval:ssg-test_arle_tallylog_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_tallylog_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/var\/log\/tallylog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl tallylog
oval:ssg-test_arle_tallylog_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_tallylog_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+\/var\/log\/tallylog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - chagexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage mediumCCE-80725-5
Ensure auditd Collects Information on the Use of Privileged Commands - chage
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_chage:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80725-5 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, RHEL-08-030250, SV-230418r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules chage
oval:ssg-test_audit_rules_privileged_commands_chage_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chage_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl chage
oval:ssg-test_audit_rules_privileged_commands_chage_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chage_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - chshxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh mediumCCE-80726-3
Ensure auditd Collects Information on the Use of Privileged Commands - chsh
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_chsh:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80726-3 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030410, SV-230448r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules chsh
oval:ssg-test_audit_rules_privileged_commands_chsh_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chsh_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl chsh
oval:ssg-test_audit_rules_privileged_commands_chsh_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chsh_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - crontabxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab mediumCCE-80727-1
Ensure auditd Collects Information on the Use of Privileged Commands - crontab
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_crontab:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80727-1 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030400, SV-230447r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules crontab
oval:ssg-test_audit_rules_privileged_commands_crontab_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_crontab_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl crontab
oval:ssg-test_audit_rules_privileged_commands_crontab_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_crontab_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd mediumCCE-80728-9
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_gpasswd:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80728-9 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, RHEL-08-030370, SV-230444r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules gpasswd
oval:ssg-test_audit_rules_privileged_commands_gpasswd_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl gpasswd
oval:ssg-test_audit_rules_privileged_commands_gpasswd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - newgrpxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp mediumCCE-80729-7
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_newgrp:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80729-7 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, RHEL-08-030350, SV-230437r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules newgrp
oval:ssg-test_audit_rules_privileged_commands_newgrp_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgrp_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl newgrp
oval:ssg-test_audit_rules_privileged_commands_newgrp_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgrp_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check mediumCCE-80730-5
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_pam_timestamp_check:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80730-5 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, RHEL-08-030340, SV-230436r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules pam_timestamp_check
oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl pam_timestamp_check
oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - passwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd mediumCCE-80731-3
Ensure auditd Collects Information on the Use of Privileged Commands - passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_passwd:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80731-3 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, RHEL-08-030290, SV-230422r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules passwd
oval:ssg-test_audit_rules_privileged_commands_passwd_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_passwd_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl passwd
oval:ssg-test_audit_rules_privileged_commands_passwd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_passwd_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - postdropxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop mediumCCE-80732-1
Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_postdrop:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80732-1 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030311, SV-230427r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules postdrop
oval:ssg-test_audit_rules_privileged_commands_postdrop_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postdrop_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl postdrop
oval:ssg-test_audit_rules_privileged_commands_postdrop_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postdrop_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - postqueuexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue mediumCCE-80733-9
Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_postqueue:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80733-9 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030312, SV-230428r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules postqueue
oval:ssg-test_audit_rules_privileged_commands_postqueue_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postqueue_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl postqueue
oval:ssg-test_audit_rules_privileged_commands_postqueue_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postqueue_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign mediumCCE-80735-4
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_ssh_keysign:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80735-4 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, RHEL-08-030320, SV-230434r744002_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules ssh_keysign
oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl ssh_keysign
oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - suxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su mediumCCE-80736-2
Ensure auditd Collects Information on the Use of Privileged Commands - su
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_su:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80736-2 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-0003, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000029-CTR-000085, RHEL-08-030190, SV-230412r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules su
oval:ssg-test_audit_rules_privileged_commands_su_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_su_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl su
oval:ssg-test_audit_rules_privileged_commands_su_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_su_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - sudoxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo mediumCCE-80737-0
Ensure auditd Collects Information on the Use of Privileged Commands - sudo
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_sudo:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80737-0 References:
BP28(R19), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000029-CTR-000085, RHEL-08-030550, SV-230462r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules sudo
oval:ssg-test_audit_rules_privileged_commands_sudo_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudo_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl sudo
oval:ssg-test_audit_rules_privileged_commands_sudo_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudo_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit mediumCCE-80738-8
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_sudoedit:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80738-8 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules sudoedit
oval:ssg-test_audit_rules_privileged_commands_sudoedit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl sudoedit
oval:ssg-test_audit_rules_privileged_commands_sudoedit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - umountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount mediumCCE-80739-6
Ensure auditd Collects Information on the Use of Privileged Commands - umount
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_umount:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80739-6 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, RHEL-08-030301, SV-230424r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules umount
oval:ssg-test_audit_rules_privileged_commands_umount_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_umount_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl umount
oval:ssg-test_audit_rules_privileged_commands_umount_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_umount_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd mediumCCE-80740-4
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_unix_chkpwd:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80740-4 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R6.5, AC-2(4), AU-2(d), AU-3, AU-3.1, AU-12(a), AU-12(c), AU-12.1(ii), AU-12.1(iv), AC-6(9), CM-6(a), MA-4(1)(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, RHEL-08-030317, SV-230433r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules unix_chkpwd
oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl unix_chkpwd
oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - userhelperxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper mediumCCE-80741-2
Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_userhelper:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80741-2 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030315, SV-230431r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules userhelper
oval:ssg-test_audit_rules_privileged_commands_userhelper_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_userhelper_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl userhelper
oval:ssg-test_audit_rules_privileged_commands_userhelper_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_userhelper_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record attempts to alter time through adjtimexxccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex mediumCCE-80745-3
Record attempts to alter time through adjtimex
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_time_adjtimex:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80745-3 References:
BP28(R73), 4.1.3.4, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 10.6.3 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
| Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit adjtimex
oval:ssg-test_32bit_art_adjtimex_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_adjtimex_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit adjtimex
oval:ssg-test_64bit_art_adjtimex_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_adjtimex_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit adjtimex
oval:ssg-test_32bit_art_adjtimex_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_adjtimex_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit adjtimex
oval:ssg-test_64bit_art_adjtimex_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_adjtimex_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Attempts to Alter Time Through clock_settimexccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime mediumCCE-80746-1
Record Attempts to Alter Time Through clock_settime
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_time_clock_settime:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80746-1 References:
BP28(R73), 4.1.3.4, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 10.6.3 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
| Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit clock_settime
oval:ssg-test_32bit_art_clock_settime_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_clock_settime_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit clock_settime
oval:ssg-test_64bit_art_clock_settime_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_clock_settime_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit clock_settime
oval:ssg-test_32bit_art_clock_settime_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_clock_settime_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit clock_settime
oval:ssg-test_64bit_art_clock_settime_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_clock_settime_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ | 1 |
Record attempts to alter time through settimeofdayxccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday mediumCCE-80747-9
Record attempts to alter time through settimeofday
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_time_settimeofday:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80747-9 References:
4.1.3.4, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 10.6.3 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
| Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit settimeofday
oval:ssg-test_32bit_art_settimeofday_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_settimeofday_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit settimeofday
oval:ssg-test_64bit_art_settimeofday_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_settimeofday_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit settimeofday
oval:ssg-test_32bit_art_settimeofday_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_settimeofday_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit settimeofday
oval:ssg-test_64bit_art_settimeofday_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_art_settimeofday_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Attempts to Alter Time Through stimexccdf_org.ssgproject.content_rule_audit_rules_time_stime mediumCCE-80748-7
Record Attempts to Alter Time Through stime
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_stime |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_time_stime:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80748-7 References:
BP28(R73), 4.1.3.4, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 10.6.3 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). If the
auditd daemon is configured to use the auditctl utility to
read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). The -k option
allows for the specification of a key in string form that can be used for
better reporting capability through ausearch and aureport. Multiple system
calls can be defined on the same line to save space if desired, but is not
required. See an example of multiple combined system calls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
| Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
|
|
|
OVAL test results details32 bit architecture
oval:ssg-test_system_info_architecture_x86:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit stime
oval:ssg-test_32bit_art_stime_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_stime_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit stime
oval:ssg-test_32bit_art_stime_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_art_stime_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Attempts to Alter the localtime Filexccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime mediumCCE-80749-5
Record Attempts to Alter the localtime File
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_time_watch_localtime:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80749-5 References:
BP28(R73), 4.1.3.4, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 10.6.3, 10.6.3 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d:
-w /etc/localtime -p wa -k audit_time_rules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport and
should always be used. |
| Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit /etc/localtime watch augenrules
oval:ssg-test_artw_etc_localtime_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_artw_etc_localtime_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit /etc/localtime watch auditctl
oval:ssg-test_artw_etc_localtime_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_artw_etc_localtime_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Make the auditd Configuration Immutablexccdf_org.ssgproject.content_rule_audit_rules_immutable mediumCCE-80708-1
Make the auditd Configuration Immutable
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_immutable |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_immutable:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80708-1 References:
BP28(R73), 4.1.3.20, 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.4.3, CCI-000162, CCI-000163, CCI-000164, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.310(a)(2)(iv), 164.312(d), 164.310(d)(2)(iii), 164.312(b), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2, 10.3.2, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, RHEL-08-030121, SV-230402r627750_rule |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d in order to make the auditd configuration
immutable:
-e 2
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2
With this setting, a reboot will be required to change any audit rules. |
| Rationale | Making the audit configuration immutable prevents accidental as
well as malicious modification of the audit rules, although it may be
problematic if legitimate changes are needed during system
operation. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules configuration locked
oval:ssg-test_ari_locked_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_ari_locked_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-e\s+2\s*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl configuration locked
oval:ssg-test_ari_locked_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_ari_locked_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-e\s+2\s*$ | 1 |
Record Events that Modify the System's Mandatory Access Controlsxccdf_org.ssgproject.content_rule_audit_rules_mac_modification mediumCCE-80721-4
Record Events that Modify the System's Mandatory Access Controls
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_mac_modification |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_mac_modification:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80721-4 References:
BP28(R73), 4.1.3.14, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.8, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy |
| Rationale | The system's mandatory access policy (SELinux) should not be
arbitrarily changed by anything other than administrator action. All changes to
MAC policy should be audited. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit selinux changes augenrules
oval:ssg-test_armm_selinux_watch_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_armm_selinux_watch_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit selinux changes auditctl
oval:ssg-test_armm_selinux_watch_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_armm_selinux_watch_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Ensure auditd Collects Information on Exporting to Media (successful)xccdf_org.ssgproject.content_rule_audit_rules_media_export mediumCCE-80722-2
Ensure auditd Collects Information on Exporting to Media (successful)
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_media_export |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_media_export:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80722-2 References:
BP28(R73), 4.1.3.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030302, SV-230425r627750_rule |
| Description | At a minimum, the audit system should collect media exportation
events for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export |
| Rationale | The unauthorized exportation of data to external media could result in an information leak
where classified information, Privacy Act information, and intellectual property could be lost. An audit
trail should be created each time a filesystem is mounted to help identify and guard against information
loss. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit mount
oval:ssg-test_32bit_ardm_mount_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_mount_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit mount
oval:ssg-test_64bit_ardm_mount_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_mount_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit mount
oval:ssg-test_32bit_ardm_mount_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_mount_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit mount
oval:ssg-test_64bit_ardm_mount_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_mount_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Network Environmentxccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification mediumCCE-80723-0
Record Events that Modify the System's Network Environment
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_networkconfig_modification:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80723-0 References:
BP28(R73), 4.1.3.5, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.5.5, 10.3.4 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification |
| Rationale | The network environment should not be modified by anything other
than administrator action. Any change to network parameters should be
audited. |
Remediation Shell script ⇲# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
OTHER_FILTERS=""
AUID_FILTERS=""
SYSCALL="sethostname setdomainname"
KEY="audit_rules_networkconfig_modification"
SYSCALL_GROUPING="sethostname setdomainname"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule
# Load macro arguments into arrays
read -a syscall_a <<< $SYSCALL
read -a syscall_grouping <<< $SYSCALL_GROUPING
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()
# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
default_file="/etc/audit/rules.d/$KEY.rules"
# As other_filters may include paths, lets use a different delimiter for it
# The "F" script expression tells sed to print the filenames where the expressions matched
readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
file_to_inspect="/etc/audit/rules.d/$KEY.rules"
files_to_inspect=("$file_to_inspect")
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
chmod 0640 "$file_to_inspect"
fi
fi
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
for audit_file in "${files_to_inspect[@]}"
do
# Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
# i.e, collect rules that match:
# * the action, list and arch, (2-nd argument)
# * the other filters, (3-rd argument)
# * the auid filters, (4-rd argument)
readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
candidate_rules=()
# Filter out rules that have more fields then required. This will remove rules more specific than the required scope
for s_rule in "${similar_rules[@]}"
do
# Strip all the options and fields we know of,
# than check if there was any field left over
extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
done
if [[ ${#syscall_a[@]} -ge 1 ]]
then
# Check if the syscall we want is present in any of the similar existing rules
for rule in "${candidate_rules[@]}"
do
rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
all_syscalls_found=0
for syscall in "${syscall_a[@]}"
do
grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
# A syscall was not found in the candidate rule
all_syscalls_found=1
}
done
if [[ $all_syscalls_found -eq 0 ]]
then
# We found a rule with all the syscall(s) we want; skip rest of macro
skip=0
break
fi
# Check if this rule can be grouped with our target syscall and keep track of it
for syscall_g in "${syscall_grouping[@]}"
do
if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
then
file_to_edit=${audit_file}
rule_to_edit=${rule}
rule_syscalls_to_edit=${rule_syscalls}
fi
done
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
fi
if [ "$skip" -eq 0 ]; then
break
fi
done
if [ "$skip" -ne 0 ]; then
# We checked all rules that matched the expected resemblance pattern (action, arch & auid)
# At this point we know if we need to either append the $full_rule or group
# the syscall together with an exsiting rule
# Append the full_rule if it cannot be grouped to any other rule
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
do
syscall_string+=" -S $syscall"
done
fi
other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
echo "$full_rule" >> "$default_file"
chmod o-rwx ${default_file}
else
# Check if the syscalls are declared as a comma separated list or
# as multiple -S parameters
if grep -q -- "," <<< "${rule_syscalls_to_edit}"
then
delimiter=","
else
delimiter=" -S "
fi
new_grouped_syscalls="${rule_syscalls_to_edit}"
for syscall in "${syscall_a[@]}"
do
grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
# A syscall was not found in the candidate rule
new_grouped_syscalls+="${delimiter}${syscall}"
}
done
# Group the syscall in the rule
sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
fi
fi
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule
# Load macro arguments into arrays
read -a syscall_a <<< $SYSCALL
read -a syscall_grouping <<< $SYSCALL_GROUPING
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()
# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
for audit_file in "${files_to_inspect[@]}"
do
# Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
# i.e, collect rules that match:
# * the action, list and arch, (2-nd argument)
# * the other filters, (3-rd argument)
# * the auid filters, (4-rd argument)
readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
candidate_rules=()
# Filter out rules that have more fields then required. This will remove rules more specific than the required scope
for s_rule in "${similar_rules[@]}"
do
# Strip all the options and fields we know of,
# than check if there was any field left over
extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
done
if [[ ${#syscall_a[@]} -ge 1 ]]
then
# Check if the syscall we want is present in any of the similar existing rules
for rule in "${candidate_rules[@]}"
do
rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
all_syscalls_found=0
for syscall in "${syscall_a[@]}"
do
grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
# A syscall was not found in the candidate rule
all_syscalls_found=1
}
done
if [[ $all_syscalls_found -eq 0 ]]
then
# We found a rule with all the syscall(s) we want; skip rest of macro
skip=0
break
fi
# Check if this rule can be grouped with our target syscall and keep track of it
for syscall_g in "${syscall_grouping[@]}"
do
if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
then
file_to_edit=${audit_file}
rule_to_edit=${rule}
rule_syscalls_to_edit=${rule_syscalls}
fi
done
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
fi
if [ "$skip" -eq 0 ]; then
break
fi
done
if [ "$skip" -ne 0 ]; then
# We checked all rules that matched the expected resemblance pattern (action, arch & auid)
# At this point we know if we need to either append the $full_rule or group
# the syscall together with an exsiting rule
# Append the full_rule if it cannot be grouped to any other rule
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
do
syscall_string+=" -S $syscall"
done
fi
other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
echo "$full_rule" >> "$default_file"
chmod o-rwx ${default_file}
else
# Check if the syscalls are declared as a comma separated list or
# as multiple -S parameters
if grep -q -- "," <<< "${rule_syscalls_to_edit}"
then
delimiter=","
else
delimiter=" -S "
fi
new_grouped_syscalls="${rule_syscalls_to_edit}"
for syscall in "${syscall_a[@]}"
do
grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
# A syscall was not found in the candidate rule
new_grouped_syscalls+="${delimiter}${syscall}"
}
done
# Group the syscall in the rule
sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
fi
fi
done
# Then perform the remediations for the watch rules
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
files_to_inspect=()
# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
files_to_inspect=()
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue" /etc/audit/rules.d/*.rules)
# For each of the matched entries
for match in "${matches[@]}"
do
# Extract filepath from the match
rulesd_audit_file=$(echo $match | cut -f1 -d ':')
# Append that path into list of files for inspection
files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
# Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
# If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
chmod 0640 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
files_to_inspect=()
# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
files_to_inspect=()
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue.net" /etc/audit/rules.d/*.rules)
# For each of the matched entries
for match in "${matches[@]}"
do
# Extract filepath from the match
rulesd_audit_file=$(echo $match | cut -f1 -d ':')
# Append that path into list of files for inspection
files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
# Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
# If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
chmod 0640 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
files_to_inspect=()
# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
files_to_inspect=()
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/hosts" /etc/audit/rules.d/*.rules)
# For each of the matched entries
for match in "${matches[@]}"
do
# Extract filepath from the match
rulesd_audit_file=$(echo $match | cut -f1 -d ':')
# Append that path into list of files for inspection
files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
# Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
# If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
chmod 0640 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
files_to_inspect=()
# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
files_to_inspect=()
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sysconfig/network" /etc/audit/rules.d/*.rules)
# For each of the matched entries
for match in "${matches[@]}"
do
# Extract filepath from the match
rulesd_audit_file=$(echo $match | cut -f1 -d ':')
# Append that path into list of files for inspection
files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
# Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
# If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
chmod 0640 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
fi
done
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | false |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set architecture for audit tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Remediate audit rules for network configuration for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- sethostname
- setdomainname
syscall_grouping:
- sethostname
- setdomainname
- name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- sethostname
- setdomainname
syscall_grouping:
- sethostname
- setdomainname
- name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Remediate audit rules for network configuration for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- sethostname
- setdomainname
syscall_grouping:
- sethostname
- setdomainname
- name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- sethostname
- setdomainname
syscall_grouping:
- sethostname
- setdomainname
- name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
mode: o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- audit_arch == "b64"
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if watch rule for /etc/issue already exists in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add watch rule for /etc/issue in /etc/audit/rules.d/
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
create: true
mode: '0640'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if watch rule for /etc/issue already exists in /etc/audit/audit.rules
find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add watch rule for /etc/issue in /etc/audit/audit.rules
lineinfile:
line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0640'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add watch rule for /etc/issue.net in /etc/audit/rules.d/
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
create: true
mode: '0640'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/audit.rules
find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add watch rule for /etc/issue.net in /etc/audit/audit.rules
lineinfile:
line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0640'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if watch rule for /etc/hosts already exists in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add watch rule for /etc/hosts in /etc/audit/rules.d/
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
create: true
mode: '0640'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if watch rule for /etc/hosts already exists in /etc/audit/audit.rules
find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add watch rule for /etc/hosts in /etc/audit/audit.rules
lineinfile:
line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0640'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
create: true
mode: '0640'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules
find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules
lineinfile:
line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0640'
when:
- '"audit" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CCE-80723-0
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit /etc/issue augenrules
oval:ssg-test_arnm_etc_issue_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_issue_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/issue.net augenrules
oval:ssg-test_arnm_etc_issue_net_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_issue_net_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/hosts augenrules
oval:ssg-test_arnm_etc_hosts_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_hosts_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/sysconfig/network augenrules
oval:ssg-test_arnm_etc_sysconfig_network_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_sysconfig_network_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit sethostname
oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit sethostname
oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit sethostname
oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit sethostname
oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit setdomainname
oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit setdomainname
oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit setdomainname
oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit setdomainname
oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit /etc/issue auditctl
oval:ssg-test_arnm_etc_issue_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_issue_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/issue.net auditctl
oval:ssg-test_arnm_etc_issue_net_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_issue_net_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/hosts auditctl
oval:ssg-test_arnm_etc_hosts_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_hosts_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit /etc/sysconfig/network auditctl
oval:ssg-test_arnm_etc_sysconfig_network_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arnm_etc_sysconfig_network_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit sethostname
oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit sethostname
oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit sethostname
oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit sethostname
oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit setdomainname
oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit augenrules 64-bit setdomainname
oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit setdomainname
oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
audit auditctl 64-bit setdomainname
oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Attempts to Alter Process and Session Initiation Informationxccdf_org.ssgproject.content_rule_audit_rules_session_events mediumCCE-80742-0
Record Attempts to Alter Process and Session Initiation Information
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_session_events |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_session_events:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80742-0 References:
BP28(R73), 4.1.3.11, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, 0582, 0584, 05885, 0586, 0846, 0957, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, 10.2.1.3 |
| Description | The audit system already collects process information for all
users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session |
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules utmp
oval:ssg-test_arse_utmp_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_utmp_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w\s+/var/run/utmp\s+\-p\s+wa\b.*$ | 1 |
audit augenrules btmp
oval:ssg-test_arse_btmp_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_btmp_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w\s+/var/log/btmp\s+\-p\s+wa\b.*$ | 1 |
audit augenrules wtmp
oval:ssg-test_arse_wtmp_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_wtmp_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w\s+/var/log/wtmp\s+\-p\s+wa\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl utmp
oval:ssg-test_arse_utmp_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_utmp_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w\s+/var/run/utmp\s+\-p\s+wa\b.*$ | 1 |
audit auditctl btmp
oval:ssg-test_arse_btmp_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_btmp_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w\s+/var/log/btmp\s+\-p\s+wa\b.*$ | 1 |
audit auditctl wtmp
oval:ssg-test_arse_wtmp_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_wtmp_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w\s+/var/log/wtmp\s+\-p\s+wa\b.*$ | 1 |
Ensure auditd Collects System Administrator Actionsxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions mediumCCE-80743-8
Ensure auditd Collects System Administrator Actions
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_sysadmin_actions:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80743-8 References:
BP28(R73), 4.1.3.1, 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(7)(b), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.2, Req-10.2.5.b, 10.2.1.5, 10.2.2, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000026-CTR-000070, SRG-APP-000027-CTR-000075, SRG-APP-000028-CTR-000080, SRG-APP-000291-CTR-000675, SRG-APP-000292-CTR-000680, SRG-APP-000293-CTR-000685, SRG-APP-000294-CTR-000690, SRG-APP-000319-CTR-000745, SRG-APP-000320-CTR-000750, SRG-APP-000509-CTR-001305 |
| Description | At a minimum, the audit system should collect administrator actions
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions |
| Rationale | The actions taken by system administrators should be audited to keep a record
of what was executed on the system, as well as, for accountability purposes. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules sudoers
oval:ssg-test_audit_rules_sysadmin_actions_sudoers_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit augenrules sudoers
oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_d_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl sudoers
oval:ssg-test_audit_rules_sysadmin_actions_sudoers_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl sudoers
oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_d_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Shutdown System When Auditing Failures Occurxccdf_org.ssgproject.content_rule_audit_rules_system_shutdown mediumCCE-80744-6
Shutdown System When Auditing Failures Occur
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_system_shutdown:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80744-6 References:
1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, 3.3.1, 3.3.4, CCI-000139, CCI-000140, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, AU-5(b), SC-24, CM-6(a), PR.PT-1, SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to to the bottom of a file with suffix
.rules in the directory /etc/audit/rules.d:
-f 2
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to the
bottom of the /etc/audit/audit.rules file:
-f 2 |
| Rationale | It is critical for the appropriate personnel to be aware if a system
is at risk of failing to process audit logs as required. Without this
notification, the security personnel may be unaware of an impending failure of
the audit capability, and system operation may be adversely affected.
Audit processing failures include software/hardware errors, failures in the
audit capturing mechanisms, and audit storage capacity being reached or
exceeded. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules configuration shutdown
oval:ssg-test_ars_shutdown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_ars_shutdown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-f\s+(\d)\s*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl configuration shutdown
oval:ssg-test_ars_shutdown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_ars_shutdown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-f\s+(\d)\s*$ | 1 |
Record Events that Modify User/Group Information - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group mediumCCE-80758-6
Record Events that Modify User/Group Information - /etc/group
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_group:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80758-6 References:
BP28(R73), 4.1.3.8, 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, RHEL-08-030170, SV-230408r627750_rule |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification |
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules group
oval:ssg-test_audit_rules_usergroup_modification_group_augen:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_group_augen:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit group
oval:ssg-test_audit_rules_usergroup_modification_group_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_group_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Record Events that Modify User/Group Information - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow mediumCCE-80759-4
Record Events that Modify User/Group Information - /etc/gshadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_gshadow:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80759-4 References:
BP28(R73), 4.1.3.8, 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, RHEL-08-030160, SV-230407r627750_rule |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification |
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules gshadow
oval:ssg-test_audit_rules_usergroup_modification_gshadow_augen:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_augen:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit gshadow
oval:ssg-test_audit_rules_usergroup_modification_gshadow_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Record Events that Modify User/Group Information - /etc/security/opasswdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd mediumCCE-80760-2
Record Events that Modify User/Group Information - /etc/security/opasswd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_opasswd:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80760-2 References:
BP28(R73), 4.1.3.8, 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, RHEL-08-030140, SV-230405r627750_rule |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification |
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules opasswd
oval:ssg-test_audit_rules_usergroup_modification_opasswd_augen:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_augen:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit opasswd
oval:ssg-test_audit_rules_usergroup_modification_opasswd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Record Events that Modify User/Group Information - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd mediumCCE-80761-0
Record Events that Modify User/Group Information - /etc/passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_passwd:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80761-0 References:
BP28(R73), 4.1.3.8, 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, RHEL-08-030150, SV-230406r627750_rule |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification |
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules passwd
oval:ssg-test_audit_rules_usergroup_modification_passwd_augen:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_passwd_augen:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit passwd
oval:ssg-test_audit_rules_usergroup_modification_passwd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_passwd_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Record Events that Modify User/Group Information - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow mediumCCE-80762-8
Record Events that Modify User/Group Information - /etc/shadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_shadow:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80762-8 References:
BP28(R73), 4.1.3.8, 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, RHEL-08-030130, SV-230404r627750_rule |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification |
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules shadow
oval:ssg-test_audit_rules_usergroup_modification_shadow_augen:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_shadow_augen:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit shadow
oval:ssg-test_audit_rules_usergroup_modification_shadow_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_shadow_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | 1 |
Configure auditd to use audispd's syslog pluginxccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated mediumCCE-80677-8
Configure auditd to use audispd's syslog plugin
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_audispd_syslog_plugin_activated:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80677-8 References:
1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000136, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, AU-4(1), CM-6(a), DE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.3, 10.3.3, SRG-OS-000479-GPOS-00224, SRG-OS-000342-GPOS-00133 |
| Description | To configure the auditd service to use the
syslog plug-in of the audispd audit event multiplexor, set
the active line in /etc/audit/plugins.d/syslog.conf to yes.
Restart the auditd service:
$ sudo service auditd restart |
| Rationale | The auditd service does not include the ability to send audit
records to a centralized server for management directly. It does, however,
include a plug-in for audit event multiplexor (audispd) to pass audit records
to the local syslog server. |
|
|
OVAL test results detailsaudispd syslog plugin activated
oval:ssg-test_auditd_audispd_syslog_plugin_activated:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_auditd_audispd_syslog_plugin_activated:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/plugins.d/syslog.conf | ^[ ]*active[ ]+=[ ]+yes[ ]*$ | 1 |
Configure auditd flush priorityxccdf_org.ssgproject.content_rule_auditd_data_retention_flush mediumCCE-80680-2
Configure auditd flush priority
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_flush |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_flush:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80680-2 References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, CCI-001576, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.3, CIP-004-6 R3.3, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AU-11, CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000480-GPOS-00227 |
| Description | The auditd service can be configured to
synchronously write audit event data to disk. Add or correct the following
line in /etc/audit/auditd.conf to ensure that audit event data is
fully synchronized with the log files on the disk:
flush = data |
| Rationale | Audit data should be synchronously written to disk to ensure
log integrity. These parameters assure that all audit event data is fully
synchronized with the log files on the disk. |
|
|
|
OVAL test results detailstest the value of flush parameter in /etc/audit/auditd.conf
oval:ssg-test_auditd_data_retention_flush:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_auditd_data_retention_flush:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/auditd.conf | ^[ ]*flush[ ]+=[ ]+(\S+)[ ]*$ | 1 |
Enable Auditing for Processes Which Start Prior to the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_argument lowCCE-80825-3
Enable Auditing for Processes Which Start Prior to the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_audit_argument:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-80825-3 References:
4.1.1.3, 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, CCI-001464, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(1), AU-14(1), AU-10, CM-6(a), IR-5(1), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.3, 10.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095, RHEL-08-030601, SV-230468r792904_rule |
| Description | To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to the default
GRUB 2 command line for the Linux operating system.
To ensure that audit=1 is added as a kernel command line
argument to newly installed kernels, add audit=1 to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit=1 ..."
Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="audit=1" |
| Rationale | Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although auditd takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot. |
|
|
|
OVAL test results detailscheck for kernel command line parameters audit=1 in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_audit_argument_grub_env:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_argument_grub_env:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/grubenv | ^kernelopts=(.*)$ | 1 |
check for kernel command line parameters audit=1 in /boot/efi/EFI/redhat/grubenv for all kernels
oval:ssg-test_grub2_audit_argument_grub_env_uefi:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_argument_grub_env_uefi:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/efi/EFI/redhat/grubenv | ^kernelopts=(.*)$ | 1 |
check kernel command line parameters for referenced boot entries reference the $kernelopts variable.
oval:ssg-test_grub2_entries_reference_kernelopts:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_entries_reference_kernelopts:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /boot/loader/entries/ | ^.*\.conf$ | ^options(?:\s+.*)?\s+\$kernelopts\b.*$ | 1 |
check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX
oval:ssg-test_grub2_audit_argument:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/default/grub | GRUB_CMDLINE_LINUX="loglevel=3 crashkernel=auto console=tty1 console=ttyS0 earlyprintk=ttyS0 rootdelay=300" |
check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT
oval:ssg-test_grub2_audit_argument_default:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_argument_default:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/default/grub | ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ | 1 |
Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub
oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/default/grub | GRUB_DISABLE_RECOVERY="true" |
Verify /boot/grub2/grub.cfg Group Ownershipxccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg mediumCCE-80800-6
Verify /boot/grub2/grub.cfg Group Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg |
| Result | |
| Multi-check rule | no |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80800-6 References:
1.4.2, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1, 2.2.6, SRG-OS-000480-GPOS-00227 |
| Description | The file /boot/grub2/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
To properly set the group owner of /boot/grub2/grub.cfg, run the command:
$ sudo chgrp root /boot/grub2/grub.cfg |
| Rationale | The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway. |
Verify /boot/grub2/grub.cfg User Ownershipxccdf_org.ssgproject.content_rule_file_owner_grub2_cfg mediumCCE-80805-5
Verify /boot/grub2/grub.cfg User Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg |
| Result | |
| Multi-check rule | no |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80805-5 References:
1.4.2, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1, 2.2.6 |
| Description | The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
To properly set the owner of /boot/grub2/grub.cfg, run the command:
$ sudo chown root /boot/grub2/grub.cfg |
| Rationale | Only root should be able to modify important boot parameters. |
Set Boot Loader Password in grub2xccdf_org.ssgproject.content_rule_grub2_password highCCE-80828-7
Set Boot Loader Password in grub2
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_password |
| Result | |
| Multi-check rule | no |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80828-7 References:
BP28(R17), 1.4.1, 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010150, SV-230235r743925_rule |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:
# grub2-setpassword
When prompted, enter the password that was selected.
|
| Rationale | Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. |
| Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
Set the UEFI Boot Loader Passwordxccdf_org.ssgproject.content_rule_grub2_uefi_password highCCE-80829-5
Set the UEFI Boot Loader Password
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_uefi_password |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_uefi_password:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80829-5 References:
BP28(R17), 1.4.1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010140, SV-230234r743922_rule |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:
# grub2-setpassword
When prompted, enter the password that was selected.
|
| Rationale | Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. |
| Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
OVAL test results detailsmake sure a password is defined in /boot/efi/EFI/redhat/user.cfg
oval:ssg-test_grub2_uefi_password_usercfg:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_uefi_password_usercfg:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/efi/EFI/redhat/user.cfg | ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ | 1 |
Ensure Logs Sent To Remote Hostxccdf_org.ssgproject.content_rule_rsyslog_remote_loghost mediumCCE-80863-4
Ensure Logs Sent To Remote Host
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-rsyslog_remote_loghost:def:1 |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80863-4 References:
BP28(R7), NT28(R43), NT12(R5), 4.2.1.6, 1, 13, 14, 15, 16, 2, 3, 5, 6, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001348, CCI-000136, CCI-001851, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 7.1, SR 7.2, 0988, 1405, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.17.2.1, CIP-003-8 R5.2, CIP-004-6 R3.3, CM-6(a), AU-4(1), AU-9(2), PR.DS-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000479-GPOS-00224, SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPOS-00133, RHEL-08-030690, SV-230479r917883_rule |
| Description | To configure rsyslog to send logs to a remote log server,
open /etc/rsyslog.conf and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting logcollector appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.
To use UDP for log message delivery:
*.* @logcollector
To use TCP for log message delivery:
*.* @@logcollector
To use RELP for log message delivery:
*.* :omrelp:logcollector
There must be a resolvable DNS CNAME or Alias record set to " logcollector" for logs to be sent correctly to the centralized logging utility. |
| Rationale | A log server (loghost) receives syslog messages from one or more
systems. This data can be used as an additional log source in the event a
system is compromised and its local logs are suspect. Forwarding log messages
to a remote loghost also provides system administrators with a centralized
place to view the status of multiple hosts within the enterprise. |
| Warnings | warning
It is important to configure queues in case the client is sending log
messages to a remote server. If queues are not configured,
the system will stop functioning when the connection
to the remote server is not available. Please consult Rsyslog
documentation for more information about configuration of queues. The
example configuration which should go into /etc/rsyslog.conf
can look like the following lines:
$ActionQueueType LinkedList
$ActionQueueFileName queuefilename
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionResumeRetryCount -1
|
|
|
OVAL test results detailsEnsures system configured to export logs to remote host
oval:ssg-test_remote_rsyslog_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_remote_loghost_rsyslog_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/rsyslog.conf | ^\*\.\*[\s]+(?:@|\:omrelp\:) | 1 |
Ensures system configured to export logs to remote host
oval:ssg-test_remote_rsyslog_d:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_remote_loghost_rsyslog_d:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/rsyslog.d | ^.+\.conf$ | ^\*\.\*[\s]+(?:@|\:omrelp\:) | 1 |
Verify Any Configured IPSec Tunnel Connectionsxccdf_org.ssgproject.content_rule_libreswan_approved_tunnels mediumCCE-80836-0
Verify Any Configured IPSec Tunnel Connections
| Rule ID | xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels |
| Result | |
| Multi-check rule | no |
| Time | 2023-11-02T08:32:21+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80836-0 References:
1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, CCI-000336, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), MA-4(6), CM-6(a), AC-4, SC-8, DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227 |
| Description | Libreswan provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks. As such, IPsec can be used to circumvent certain
network requirements such as filtering. Verify that if any IPsec connection
(conn) configured in /etc/ipsec.conf and /etc/ipsec.d
exists is an approved organizational connection. |
| Rationale | IP tunneling mechanisms can be used to bypass network filtering. |
| Warnings | warning
Automatic remediation of this control is not available due to the unique
requirements of each system. |
Evaluation messagesinfo
No candidate or applicable check found. |
Disable the Automounterxccdf_org.ssgproject.content_rule_service_autofs_disabled mediumCCE-80873-3
Disable the Automounter
| Rule ID | xccdf_org.ssgproject.content_rule_service_autofs_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_autofs_disabled:def:1 |
| Time | 2023-11-02T08:32:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80873-3 References:
1.1.9, 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.4.6, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-08-040070, SV-230502r627750_rule |
| Description | The autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
The autofs service can be disabled with the following command:
$ sudo systemctl mask --now autofs.service |
| Rationale | Disabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab.
Additionally, automatically mounting filesystems permits easy introduction of
unknown devices, thereby facilitating malicious activity. |
OVAL test results detailspackage autofs is removed
oval:ssg-test_service_autofs_package_autofs_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_autofs_package_autofs_removed:obj:1 of type
rpminfo_object
Test that the autofs service is not running
oval:ssg-test_service_not_running_autofs:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_autofs:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^autofs\.(service|socket)$ | ActiveState |
Test that the property LoadState from the service autofs is masked
oval:ssg-test_service_loadstate_is_masked_autofs:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_autofs:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^autofs\.(service|socket)$ | LoadState |
Disable Modprobe Loading of USB Storage Driverxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled mediumCCE-80835-2
Disable Modprobe Loading of USB Storage Driver
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_usb-storage_disabled:def:1 |
| Time | 2023-11-02T08:32:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80835-2 References:
1.1.10, 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.21, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-08-040080, SV-230503r809319_rule |
| Description | To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:
install usb-storage /bin/true
To configure the system to prevent the usb-storage from being used,
add the following line to file /etc/modprobe.d/usb-storage.conf:
blacklist usb-storage
This will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually. |
| Rationale | USB storage devices such as thumb drives can be used to introduce
malicious software. |
|
|
|
OVAL test results detailskernel module usb-storage blacklisted
oval:ssg-test_kernmod_usb-storage_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+usb-storage$ | 1 |
kernel module usb-storage disabled
oval:ssg-test_kernmod_usb-storage_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ | 1 |
Disable Core Dumps for SUID programsxccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable mediumCCE-80912-9
Disable Core Dumps for SUID programs
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_fs_suid_dumpable:def:1 |
| Time | 2023-11-02T08:32:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80912-9 References:
BP28(R23), 1.6.1, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), 3.3.1.1, 3.3.1.2, 3.3.1.3 |
| Description | To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command: $ sudo sysctl -w fs.suid_dumpable=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.suid_dumpable = 0 |
| Rationale | The core dump of a setuid program is more likely to contain
sensitive data, as the program itself runs with greater privileges than the
user who initiated execution of the program. Disabling the ability for any
setuid program to write a core file decreases the risk of unauthorized access
of such data. |
|
|
OVAL test results detailsfs.suid_dumpable static configuration
oval:ssg-test_sysctl_fs_suid_dumpable_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_fs_suid_dumpable:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_sysctls_sysctl_fs_suid_dumpable:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_fs_suid_dumpable:obj:1
|
fs.suid_dumpable static configuration
oval:ssg-test_sysctl_fs_suid_dumpable_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_fs_suid_dumpable:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_sysctls_sysctl_fs_suid_dumpable:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_fs_suid_dumpable:obj:1
|
fs.suid_dumpable static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_fs_suid_dumpable_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_fs_suid_dumpable:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*fs.suid_dumpable[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter fs.suid_dumpable set to 0
oval:ssg-test_sysctl_fs_suid_dumpable_runtime:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| fs.suid_dumpable | 0 |
Enable ExecShield via sysctlxccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield mediumCCE-80914-5
Enable ExecShield via sysctl
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_exec_shield:def:1 |
| Time | 2023-11-02T08:32:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80914-5 References:
12, 15, 8, APO13.01, DSS05.02, 3.1.7, CCI-002530, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, SC-39, CM-6(a), PR.PT-4, SRG-OS-000433-GPOS-00192 |
| Description | By default on Red Hat Enterprise Linux 8 64-bit systems, ExecShield is
enabled and can only be disabled if the hardware does not support
ExecShield or is disabled in /etc/default/grub. |
| Rationale | ExecShield uses the segmentation feature on all x86 systems to prevent
execution in memory higher than a certain address. It writes an address as
a limit in the code segment descriptor, to control where code can be
executed, on a per-process basis. When the kernel places a process's memory
regions such as the stack and heap higher than this address, the hardware
prevents execution in that address range. This is enabled by default on the
latest Red Hat and Fedora systems if supported by the hardware. |
OVAL test results details64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | nm-vm | Linux | 4.18.0-477.10.1.el8_8.x86_64 | #1 SMP Wed Apr 5 13:35:01 EDT 2023 | x86_64 |
NX is disabled
oval:ssg-test_nx_disabled_grub:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_nx_disabled_grub:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/grub.cfg | [\s]*noexec[\s]*=[\s]*off | 1 |
Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space mediumCCE-80916-0
Enable Randomized Layout of Virtual Address Space
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_randomize_va_space:def:1 |
| Time | 2023-11-02T08:32:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80916-0 References:
BP28(R23), 1.5.3, 3.1.7, CCI-000366, CCI-002824, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), CM-6(a), Req-2.2.1, 2.2.3, SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227, SRG-APP-000450-CTR-001105, RHEL-08-010430, SV-230280r858767_rule |
| Description | To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2 |
| Rationale | Address space layout randomization (ASLR) makes it more difficult for an
attacker to predict the location of attack code they have introduced into a
process's address space during an attempt at exploitation. Additionally,
ASLR makes it more difficult for an attacker to know the location of
existing code in order to re-purpose it using return oriented programming
(ROP) techniques. |
|
|
|
OVAL test results detailskernel.randomize_va_space static configuration
oval:ssg-test_sysctl_kernel_randomize_va_space_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_randomize_va_space:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_sysctls_sysctl_kernel_randomize_va_space:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_randomize_va_space:obj:1
|
kernel.randomize_va_space static configuration
oval:ssg-test_sysctl_kernel_randomize_va_space_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_randomize_va_space:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_sysctls_sysctl_kernel_randomize_va_space:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_randomize_va_space:obj:1
|
kernel.randomize_va_space static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_randomize_va_space_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_randomize_va_space:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter kernel.randomize_va_space set to 2
oval:ssg-test_sysctl_kernel_randomize_va_space_runtime:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| kernel.randomize_va_space | 2 |
Restrict Access to Kernel Message Bufferxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict lowCCE-80913-7
Restrict Access to Kernel Message Buffer
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_dmesg_restrict:def:1 |
| Time | 2023-11-02T08:32:23+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-80913-7 References:
BP28(R23), 3.1.5, CCI-001090, CCI-001314, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069, SRG-APP-000243-CTR-000600, RHEL-08-010375, SV-230269r858756_rule |
| Description | To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1 |
| Rationale | Unprivileged access to the kernel syslog can expose sensitive kernel
address information. |
|
|
|
OVAL test results detailskernel.dmesg_restrict static configuration
oval:ssg-test_sysctl_kernel_dmesg_restrict_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_dmesg_restrict:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_sysctls_sysctl_kernel_dmesg_restrict:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_dmesg_restrict:obj:1
|
kernel.dmesg_restrict static configuration
oval:ssg-test_sysctl_kernel_dmesg_restrict_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_dmesg_restrict:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_sysctls_sysctl_kernel_dmesg_restrict:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_dmesg_restrict:obj:1
|
kernel.dmesg_restrict static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_dmesg_restrict_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_dmesg_restrict:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*)[\s]*$ | 1 |
kernel runtime parameter kernel.dmesg_restrict set to 1
oval:ssg-test_sysctl_kernel_dmesg_restrict_runtime:tst:1
false
Following items have been found on the system:
| Name | Value |
|---|
| kernel.dmesg_restrict | 0 |
Disable the selinuxuser_execheap SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap mediumCCE-80949-1
Disable the selinuxuser_execheap SELinux Boolean
| Rule ID | xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sebool_selinuxuser_execheap:def:1 |
| Time | 2023-11-02T08:32:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80949-1 References:
BP28(R67), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e) |
| Description | By default, the SELinux boolean selinuxuser_execheap is disabled.
When enabled this boolean is enabled it allows selinuxusers to execute code from the heap.
If this setting is enabled, it should be disabled.
To disable the selinuxuser_execheap SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_execheap off |
| Rationale | Disabling code execution from the heap blocks buffer overflow attacks. |
OVAL test results detailsselinuxuser_execheap is configured correctly
oval:ssg-test_sebool_selinuxuser_execheap:tst:1
true
Following items have been found on the system:
| Name | Current status | Pending status |
|---|
| selinuxuser_execheap | false | false |
Enable the selinuxuser_execmod SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_execmod mediumCCE-80950-9
Enable the selinuxuser_execmod SELinux Boolean
| Rule ID | xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execmod |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sebool_selinuxuser_execmod:def:1 |
| Time | 2023-11-02T08:32:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80950-9 References:
164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e) |
| Description | By default, the SELinux boolean selinuxuser_execmod is enabled.
If this setting is disabled, it should be enabled.
To enable the selinuxuser_execmod SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_execmod on |
| Rationale | |
OVAL test results detailsselinuxuser_execmod is configured correctly
oval:ssg-test_sebool_selinuxuser_execmod:tst:1
true
Following items have been found on the system:
| Name | Current status | Pending status |
|---|
| selinuxuser_execmod | true | true |
Disable the selinuxuser_execstack SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack mediumCCE-80951-7
Disable the selinuxuser_execstack SELinux Boolean
| Rule ID | xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sebool_selinuxuser_execstack:def:1 |
| Time | 2023-11-02T08:32:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80951-7 References:
BP28(R67), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e) |
| Description | By default, the SELinux boolean selinuxuser_execstack is enabled.
This setting should be disabled as unconfined executables should not be able
to make their stack executable.
To disable the selinuxuser_execstack SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_execstack off |
| Rationale | Disabling code execution from the stack blocks buffer overflow attacks. |
|
|
OVAL test results detailsselinuxuser_execstack is configured correctly
oval:ssg-test_sebool_selinuxuser_execstack:tst:1
false
Following items have been found on the system:
| Name | Current status | Pending status |
|---|
| selinuxuser_execstack | true | true |
Ensure SELinux Not Disabled in /etc/default/grubxccdf_org.ssgproject.content_rule_grub2_enable_selinux mediumCCE-80827-9
Ensure SELinux Not Disabled in /etc/default/grub
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_enable_selinux |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_enable_selinux:def:1 |
| Time | 2023-11-02T08:32:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80827-9 References:
1.6.1.2, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-000022, CCI-000032, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-3, AC-3(3)(a), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4 |
| Description | SELinux can be disabled at boot time by an argument in
/etc/default/grub.
Remove any instances of selinux=0 from the kernel arguments in that
file to prevent SELinux from being disabled at boot. |
| Rationale | Disabling a major host protection feature, such as SELinux, at boot time prevents
it from confining system services at boot time. Further, it increases
the chances that it will remain off during system operation. |
OVAL test results detailscheck value selinux|enforcing=0 in /etc/default/grub, fail if found
oval:ssg-test_selinux_default_grub:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_default_grub:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/default/grub | ^[\s]*GRUB_CMDLINE_LINUX.*(selinux|enforcing)=0.*$ | 1 |
check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found
oval:ssg-test_selinux_grub2_cfg:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_grub2_cfg:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/grub2.cfg | ^.*(selinux|enforcing)=0.*$ | 1 |
check value selinux|enforcing=0 in /etc/grub.d fail if found
oval:ssg-test_selinux_grub_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_grub_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/grub.d | ^.*$ | ^.*(selinux|enforcing)=0.*$ | 1 |
Ensure No Daemons are Unconfined by SELinuxxccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons mediumCCE-80867-5
Ensure No Daemons are Unconfined by SELinux
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-selinux_confinement_of_daemons:def:1 |
| Time | 2023-11-02T08:32:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80867-5 References:
1.6.1.6, 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, MEA02.01, 3.1.2, 3.1.5, 3.7.2, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-3(3)(a), AC-6, PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, PR.PT-3 |
| Description | Daemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the init process, they inherit the unconfined_service_t context.
To check for unconfined daemons, run the following command:
$ sudo ps -eZ | grep "unconfined_service_t"
It should produce no output in a well-configured system. |
| Rationale | Daemons which run with the unconfined_service_t context may cause AVC denials,
or allow privileges that the daemon does not require. |
| Warnings | warning
Automatic remediation of this control is not available. Remediation
can be achieved by amending SELinux policy or stopping the unconfined
daemons as outlined above. |
OVAL test results detailsnone satisfy unconfined_service_t in /proc
oval:ssg-test_selinux_confinement_of_daemons:tst:1
false
Following items have been found on the system:
| Filepath | Path | Filename | User | Role | Type | Low sensitivity | Rawlow sensitivity |
|---|
| /proc/1535/mountstats | /proc/1535 | mountstats | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/clear_refs | /proc/1535 | clear_refs | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/smaps | /proc/1535 | smaps | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/smaps_rollup | /proc/1535 | smaps_rollup | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/environ | /proc/1535 | environ | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/auxv | /proc/1535 | auxv | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/schedstat | /proc/1535 | schedstat | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/cpuset | /proc/1535 | cpuset | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/cgroup | /proc/1535 | cgroup | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/cpu_resctrl_groups | /proc/1535 | cpu_resctrl_groups | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/oom_score | /proc/1535 | oom_score | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/oom_adj | /proc/1535 | oom_adj | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/oom_score_adj | /proc/1535 | oom_score_adj | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/loginuid | /proc/1535 | loginuid | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/sessionid | /proc/1535 | sessionid | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/coredump_filter | /proc/1535 | coredump_filter | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/io | /proc/1535 | io | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/uid_map | /proc/1535 | uid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/gid_map | /proc/1535 | gid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/projid_map | /proc/1535 | projid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/setgroups | /proc/1535 | setgroups | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/timers | /proc/1535 | timers | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/timerslack_ns | /proc/1535 | timerslack_ns | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/patch_state | /proc/1535 | patch_state | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/mounts | /proc/1535 | mounts | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/mountinfo | /proc/1535 | mountinfo | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/personality | /proc/1535 | personality | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/limits | /proc/1535 | limits | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/comm | /proc/1535 | comm | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/syscall | /proc/1535 | syscall | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/timens_offsets | /proc/1535 | timens_offsets | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/status | /proc/1535 | status | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/maps | /proc/1535 | maps | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/numa_maps | /proc/1535 | numa_maps | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/autogroup | /proc/1535 | autogroup | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/statm | /proc/1535 | statm | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/sched | /proc/1535 | sched | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/cmdline | /proc/1535 | cmdline | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/stat | /proc/1535 | stat | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/mem | /proc/1535 | mem | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/pagemap | /proc/1535 | pagemap | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/wchan | /proc/1535 | wchan | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1535/stack | /proc/1535 | stack | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/auxv | /proc/4470 | auxv | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/environ | /proc/4470 | environ | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/status | /proc/4470 | status | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/personality | /proc/4470 | personality | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/limits | /proc/4470 | limits | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/sched | /proc/4470 | sched | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/autogroup | /proc/4470 | autogroup | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/timens_offsets | /proc/4470 | timens_offsets | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/comm | /proc/4470 | comm | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/syscall | /proc/4470 | syscall | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/cmdline | /proc/4470 | cmdline | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/stat | /proc/4470 | stat | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/statm | /proc/4470 | statm | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/maps | /proc/4470 | maps | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/numa_maps | /proc/4470 | numa_maps | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/mem | /proc/4470 | mem | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/mounts | /proc/4470 | mounts | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/mountinfo | /proc/4470 | mountinfo | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/mountstats | /proc/4470 | mountstats | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/clear_refs | /proc/4470 | clear_refs | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/smaps | /proc/4470 | smaps | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/smaps_rollup | /proc/4470 | smaps_rollup | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/pagemap | /proc/4470 | pagemap | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/wchan | /proc/4470 | wchan | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/stack | /proc/4470 | stack | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/schedstat | /proc/4470 | schedstat | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/cpuset | /proc/4470 | cpuset | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/cgroup | /proc/4470 | cgroup | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/cpu_resctrl_groups | /proc/4470 | cpu_resctrl_groups | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/oom_score | /proc/4470 | oom_score | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/oom_adj | /proc/4470 | oom_adj | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/oom_score_adj | /proc/4470 | oom_score_adj | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/loginuid | /proc/4470 | loginuid | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/sessionid | /proc/4470 | sessionid | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/coredump_filter | /proc/4470 | coredump_filter | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/io | /proc/4470 | io | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/uid_map | /proc/4470 | uid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/gid_map | /proc/4470 | gid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/projid_map | /proc/4470 | projid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/setgroups | /proc/4470 | setgroups | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/timers | /proc/4470 | timers | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/timerslack_ns | /proc/4470 | timerslack_ns | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/4470/patch_state | /proc/4470 | patch_state | system_u | system_r | unconfined_service_t | s0 | s0 |
Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype mediumCCE-80868-3
Configure SELinux Policy
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_policytype |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-selinux_policytype:def:1 |
| Time | 2023-11-02T08:32:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80868-3 References:
BP28(R66), 1.6.1.3, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, SRG-APP-000233-CTR-000585, RHEL-08-010450, SV-230282r854035_rule |
| Description | The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config:
SELINUXTYPE=targeted
Other policies, such as mls, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases. |
| Rationale | Setting the SELinux policy to targeted or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
Note: During the development or debugging of SELinux modules, it is common to
temporarily place non-production systems in permissive mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
targeted. |
OVAL test results detailsTests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file
oval:ssg-test_selinux_policy:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/selinux/config | SELINUXTYPE=targeted
|
Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state highCCE-80869-1
Ensure SELinux State is Enforcing
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_state |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-selinux_state:def:1 |
| Time | 2023-11-02T08:32:23+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80869-1 References:
BP28(R4), BP28(R66), 1.6.1.5, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-001084, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068, RHEL-08-010170, SV-230240r627750_rule |
| Description | The SELinux state should be set to enforcing at
system boot time. In the file /etc/selinux/config, add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX=enforcing |
| Rationale | Setting the SELinux state to enforcing ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges. |
OVAL test results details/selinux/enforce is 1
oval:ssg-test_etc_selinux_config:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/selinux/config | SELINUX=enforcing |
Disable KDump Kernel Crash Analyzer (kdump)xccdf_org.ssgproject.content_rule_service_kdump_disabled mediumCCE-80878-2
Disable KDump Kernel Crash Analyzer (kdump)
| Rule ID | xccdf_org.ssgproject.content_rule_service_kdump_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_kdump_disabled:def:1 |
| Time | 2023-11-02T08:32:24+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80878-2 References:
11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000366, CCI-001665, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, FMT_SMF_EXT.1.1, SRG-OS-000269-GPOS-00103, SRG-OS-000480-GPOS-00227, RHEL-08-010670, SV-230310r627750_rule |
| Description | The kdump service provides a kernel crash dump analyzer. It uses the kexec
system call to boot a secondary kernel ("capture" kernel) following a system
crash, which can load information from the crashed kernel for analysis.
The kdump service can be disabled with the following command:
$ sudo systemctl mask --now kdump.service |
| Rationale | Kernel core dumps may contain the full contents of system memory at the
time of the crash. Kernel core dumps consume a considerable amount of disk
space and may result in denial of service by exhausting the available space
on the target file system partition. Unless the system is used for kernel
development or testing, there is little need to run the kdump service. |
|
|
|
|
|
|
OVAL test results detailspackage kexec-tools is removed
oval:ssg-test_service_kdump_package_kexec-tools_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| kexec-tools | x86_64 | (none) | 5.el8_8.1 | 2.0.25 | 0:2.0.25-5.el8_8.1 | 199e2f91fd431d51 | kexec-tools-0:2.0.25-5.el8_8.1.x86_64 |
Test that the kdump service is not running
oval:ssg-test_service_not_running_kdump:tst:1
false
Following items have been found on the system:
| Unit | Property | Value |
|---|
| kdump.service | ActiveState | active |
Test that the property LoadState from the service kdump is masked
oval:ssg-test_service_loadstate_is_masked_kdump:tst:1
false
Following items have been found on the system:
| Unit | Property | Value |
|---|
| kdump.service | LoadState | loaded |
Enable cron Servicexccdf_org.ssgproject.content_rule_service_crond_enabled mediumCCE-80875-8
Enable cron Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_crond_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_crond_enabled:def:1 |
| Time | 2023-11-02T08:32:26+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80875-8 References:
5.1.1, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-6(a), PR.IP-1, PR.PT-3 |
| Description | The crond service is used to execute commands at
preconfigured times. It is required by almost all systems to perform necessary
maintenance tasks, such as notifying root of system activity.
The crond service can be enabled with the following command:
$ sudo systemctl enable crond.service |
| Rationale | Due to its usage for maintenance and security-supporting tasks,
enabling the cron daemon is essential. |
OVAL test results detailspackage cronie is installed
oval:ssg-test_service_crond_package_cronie_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| cronie | x86_64 | (none) | 8.el8 | 1.5.2 | 0:1.5.2-8.el8 | 199e2f91fd431d51 | cronie-0:1.5.2-8.el8.x86_64 |
Test that the crond service is running
oval:ssg-test_service_running_crond:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| crond.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_crond:tst:1
true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | nis-domainname.service | systemd-hwdb-update.service | kmod-static-nodes.service | lvm2-lvmpolld.socket | selinux-autorelabel-mark.service | systemd-journal-flush.service | ldconfig.service | local-fs.target | var.mount | boot.mount | -.mount | usr.mount | home.mount | boot-efi.mount | tmp.mount | systemd-remount-fs.service | systemd-tmpfiles-setup-dev.service | systemd-sysusers.service | systemd-tmpfiles-setup.service | systemd-random-seed.service | systemd-machine-id-commit.service | systemd-binfmt.service | loadmodules.service | proc-sys-fs-binfmt_misc.automount | systemd-ask-password-console.path | systemd-journal-catalog-update.service | systemd-journald.service | dev-mqueue.mount | sys-fs-fuse-connections.mount | systemd-update-utmp.service | sys-kernel-debug.mount | lvm2-monitor.service | rngd.service | systemd-udevd.service | systemd-modules-load.service | sys-kernel-config.mount | systemd-update-done.service | systemd-sysctl.service | systemd-udev-trigger.service | import-state.service | dracut-shutdown.service | cryptsetup.target | systemd-firstboot.service | multipathd.service | dev-hugepages.mount | swap.target | iscsi-onboot.service | slices.target | -.slice | system.slice | sockets.target | iscsid.socket | dbus.socket | sssd-kcm.socket | multipathd.socket | systemd-udevd-kernel.socket | iscsiuio.socket | systemd-journald.socket | systemd-journald-dev-log.socket | systemd-coredump.socket | dm-event.socket | systemd-initctl.socket | systemd-udevd-control.socket | paths.target | timers.target | systemd-tmpfiles-clean.timer | dnf-automatic.timer | dnf-makecache.timer | unbound-anchor.timer | mlocate-updatedb.timer | getty.target | serial-getty@ttyS0.service | getty@tty1.service | waagent.service | systemd-resolved.service | irqbalance.service | firewalld.service | libstoragemgmt.service | chronyd.service | atd.service | mcelog.service | rsyslog.service | rhsmcertd.service | auditd.service | cloud-init.target | cloud-init.service | cloud-config.service | cloud-init-local.service | cloud-final.service | systemd-update-utmp-runlevel.service | kdump.service | remote-fs.target | mnt.mount | iscsi.service | systemd-logind.service | smartd.service | vdo.service | systemd-ask-password-wall.path | sshd.service | nftables.service | dbus.service | mdmonitor.service | NetworkManager.service | systemd-user-sessions.service | crond.service | insights-client-boot.service | tuned.service | sssd.service |
systemd test
oval:ssg-test_multi_user_wants_crond_socket:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | nis-domainname.service | systemd-hwdb-update.service | kmod-static-nodes.service | lvm2-lvmpolld.socket | selinux-autorelabel-mark.service | systemd-journal-flush.service | ldconfig.service | local-fs.target | var.mount | boot.mount | -.mount | usr.mount | home.mount | boot-efi.mount | tmp.mount | systemd-remount-fs.service | systemd-tmpfiles-setup-dev.service | systemd-sysusers.service | systemd-tmpfiles-setup.service | systemd-random-seed.service | systemd-machine-id-commit.service | systemd-binfmt.service | loadmodules.service | proc-sys-fs-binfmt_misc.automount | systemd-ask-password-console.path | systemd-journal-catalog-update.service | systemd-journald.service | dev-mqueue.mount | sys-fs-fuse-connections.mount | systemd-update-utmp.service | sys-kernel-debug.mount | lvm2-monitor.service | rngd.service | systemd-udevd.service | systemd-modules-load.service | sys-kernel-config.mount | systemd-update-done.service | systemd-sysctl.service | systemd-udev-trigger.service | import-state.service | dracut-shutdown.service | cryptsetup.target | systemd-firstboot.service | multipathd.service | dev-hugepages.mount | swap.target | iscsi-onboot.service | slices.target | -.slice | system.slice | sockets.target | iscsid.socket | dbus.socket | sssd-kcm.socket | multipathd.socket | systemd-udevd-kernel.socket | iscsiuio.socket | systemd-journald.socket | systemd-journald-dev-log.socket | systemd-coredump.socket | dm-event.socket | systemd-initctl.socket | systemd-udevd-control.socket | paths.target | timers.target | systemd-tmpfiles-clean.timer | dnf-automatic.timer | dnf-makecache.timer | unbound-anchor.timer | mlocate-updatedb.timer | getty.target | serial-getty@ttyS0.service | getty@tty1.service | waagent.service | systemd-resolved.service | irqbalance.service | firewalld.service | libstoragemgmt.service | chronyd.service | atd.service | mcelog.service | rsyslog.service | rhsmcertd.service | auditd.service | cloud-init.target | cloud-init.service | cloud-config.service | cloud-init-local.service | cloud-final.service | systemd-update-utmp-runlevel.service | kdump.service | remote-fs.target | mnt.mount | iscsi.service | systemd-logind.service | smartd.service | vdo.service | systemd-ask-password-wall.path | sshd.service | nftables.service | dbus.service | mdmonitor.service | NetworkManager.service | systemd-user-sessions.service | crond.service | insights-client-boot.service | tuned.service | sssd.service |
Use Kerberos Security on All Exportsxccdf_org.ssgproject.content_rule_use_kerberos_security_all_exports mediumCCE-80924-4
Use Kerberos Security on All Exports
| Rule ID | xccdf_org.ssgproject.content_rule_use_kerberos_security_all_exports |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-use_kerberos_security_all_exports:def:1 |
| Time | 2023-11-02T08:32:26+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80924-4 References:
1, 12, 14, 15, 16, 18, 3, 5, DSS05.04, DSS05.10, DSS06.10, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.3, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.6.1.2, A.9.1.2, A.9.2.1, A.9.2.3, A.9.2.4, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), IA-2, IA-2(8), IA-2(9), AC-17(a), PR.AC-4, PR.AC-7, SRG-OS-000480-GPOS-00227 |
| Description | Using Kerberos on all exported mounts prevents a malicious client or user from
impersonating a system user. To cryptography authenticate users to the NFS server,
add sec=krb5:krb5i:krb5p to each export in /etc/exports. |
| Rationale | When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle
requests from the remote user. The userid and groupid could mistakenly or maliciously be set
incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client
systems to more securely authenticate the remote mount request. |
OVAL test results detailsTests the value of the Kerberos Settings in /etc/exports
oval:ssg-test_use_kerberos_security_all_exports:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_use_kerberos_security_all_exports:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/exports | ^\/.*\((\S+)\)$ | 0 |
Tests if a share is configured in /etc/exports
oval:ssg-test_non_empty_exports_file:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_non_empty_exports_file:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/exports | ^\/.*$ | 0 |
Uninstall xinetd Packagexccdf_org.ssgproject.content_rule_package_xinetd_removed lowCCE-80850-1
Uninstall xinetd Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_xinetd_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_xinetd_removed:def:1 |
| Time | 2023-11-02T08:32:26+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-80850-1 References:
BP28(R1), 2.2.1, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000305, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, 2.2.4 |
| Description | The xinetd package can be removed with the following command:
$ sudo yum erase xinetd |
| Rationale | Removing the xinetd package decreases the risk of the
xinetd service's accidental (or intentional) activation. |
OVAL test results detailspackage xinetd is removed
oval:ssg-test_package_xinetd_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_xinetd_removed:obj:1 of type
rpminfo_object
Disable xinetd Servicexccdf_org.ssgproject.content_rule_service_xinetd_disabled mediumCCE-80888-1
Disable xinetd Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_xinetd_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_xinetd_disabled:def:1 |
| Time | 2023-11-02T08:32:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80888-1 References:
2.1.7, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.4.7, CCI-000305, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 |
| Description |
The xinetd service can be disabled with the following command:
$ sudo systemctl mask --now xinetd.service |
| Rationale | The xinetd service provides a dedicated listener service for some programs,
which is no longer necessary for commonly-used network services. Disabling
it ensures that these uncommon services are not running, and also prevents
attacks against xinetd itself. |
OVAL test results detailspackage xinetd is removed
oval:ssg-test_service_xinetd_package_xinetd_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_xinetd_package_xinetd_removed:obj:1 of type
rpminfo_object
Test that the xinetd service is not running
oval:ssg-test_service_not_running_xinetd:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_xinetd:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^xinetd\.(service|socket)$ | ActiveState |
Test that the property LoadState from the service xinetd is masked
oval:ssg-test_service_loadstate_is_masked_xinetd:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_xinetd:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^xinetd\.(service|socket)$ | LoadState |
Uninstall rsh-server Packagexccdf_org.ssgproject.content_rule_package_rsh-server_removed highCCE-82184-3
Uninstall rsh-server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_rsh-server_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_rsh-server_removed:def:1 |
| Time | 2023-11-02T08:32:28+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-82184-3 References:
BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, RHEL-08-040010, SV-230492r627750_rule |
| Description | The rsh-server package can be removed with the following command:
$ sudo yum erase rsh-server |
| Rationale | The rsh-server service provides unencrypted remote access service which does not
provide for the confidentiality and integrity of user passwords or the remote session and has very weak
authentication. If a privileged user were to login using this service, the privileged user password
could be compromised. The rsh-server package provides several obsolete and insecure
network services. Removing it decreases the risk of those services' accidental (or intentional)
activation. |
OVAL test results detailspackage rsh-server is removed
oval:ssg-test_package_rsh-server_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_rsh-server_removed:obj:1 of type
rpminfo_object
Disable rexec Servicexccdf_org.ssgproject.content_rule_service_rexec_disabled highCCE-80884-0
Disable rexec Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_rexec_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_rexec_disabled:def:1 |
| Time | 2023-11-02T08:32:29+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80884-0 References:
11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.13, 3.4.7, CCI-000068, CCI-001436, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 |
| Description | The rexec service, which is available with the rsh-server package
and runs as a service through xinetd or separately as a systemd socket, should be disabled.
If using xinetd, set disable to yes in /etc/xinetd.d/rexec.
The rexec socket can be disabled with the following command:
$ sudo systemctl mask --now rexec.socket |
| Rationale | The rexec service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network. |
OVAL test results detailspackage rsh-server is removed
oval:ssg-test_service_rexec_package_rsh-server_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_rexec_package_rsh-server_removed:obj:1 of type
rpminfo_object
Test that the rexec service is not running
oval:ssg-test_service_not_running_rexec:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_rexec:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^rexec\.(service|socket)$ | ActiveState |
Test that the property LoadState from the service rexec is masked
oval:ssg-test_service_loadstate_is_masked_rexec:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_rexec:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^rexec\.(service|socket)$ | LoadState |
Disable rlogin Servicexccdf_org.ssgproject.content_rule_service_rlogin_disabled highCCE-80885-7
Disable rlogin Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_rlogin_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_rlogin_disabled:def:1 |
| Time | 2023-11-02T08:32:30+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80885-7 References:
1, 11, 12, 14, 15, 16, 3, 5, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.13, 3.4.7, CCI-001436, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, PR.IP-1, PR.PT-3, PR.PT-4 |
| Description | The rlogin service, which is available with
the rsh-server package and runs as a service through xinetd or separately
as a systemd socket, should be disabled.
If using xinetd, set disable to yes in /etc/xinetd.d/rlogin.
The rlogin socket can be disabled with the following command:
$ sudo systemctl mask --now rlogin.socket |
| Rationale | The rlogin service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network. |
OVAL test results detailspackage rsh-server is removed
oval:ssg-test_service_rlogin_package_rsh-server_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_rlogin_package_rsh-server_removed:obj:1 of type
rpminfo_object
Test that the rlogin service is not running
oval:ssg-test_service_not_running_rlogin:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_rlogin:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^rlogin\.(service|socket)$ | ActiveState |
Test that the property LoadState from the service rlogin is masked
oval:ssg-test_service_loadstate_is_masked_rlogin:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_rlogin:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^rlogin\.(service|socket)$ | LoadState |
Remove Rsh Trust Filesxccdf_org.ssgproject.content_rule_no_rsh_trust_files highCCE-80842-8
Remove Rsh Trust Files
| Rule ID | xccdf_org.ssgproject.content_rule_no_rsh_trust_files |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_rsh_trust_files:def:1 |
| Time | 2023-11-02T08:32:30+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80842-8 References:
6.2.16, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-001436, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 |
| Description | The files /etc/hosts.equiv and ~/.rhosts (in
each user's home directory) list remote hosts and users that are trusted by the
local system when using the rshd daemon.
To remove these files, run the following command to delete them from any
location:
$ sudo rm /etc/hosts.equiv
$ rm ~/.rhosts |
| Rationale | This action is only meaningful if .rhosts support is permitted
through PAM. Trust files are convenient, but when used in conjunction with
the R-services, they can allow unauthenticated access to a system. |
OVAL test results detailslook for .rhosts in /root
oval:ssg-test_no_rsh_trust_files_root:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_rsh_trust_files_root:obj:1 of type
file_object
| Path | Filename |
|---|
| /root | ^\.rhosts$ |
look for .rhosts in /home
oval:ssg-test_no_rsh_trust_files_home:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_rsh_trust_files_home:obj:1 of type
file_object
| Behaviors | Path | Filename |
|---|
| no value | /home | ^\.rhosts$ |
look for /etc/hosts.equiv
oval:ssg-test_no_rsh_trust_files_etc:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_rsh_trust_files_etc:obj:1 of type
file_object
| Path | Filename |
|---|
| /etc | ^hosts\.equiv$ |
Uninstall talk-server Packagexccdf_org.ssgproject.content_rule_package_talk-server_removed mediumCCE-82180-1
Uninstall talk-server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_talk-server_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_talk-server_removed:def:1 |
| Time | 2023-11-02T08:32:30+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82180-1 References:
BP28(R1), 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) |
| Description | The talk-server package can be removed with the following command: $ sudo yum erase talk-server |
| Rationale | The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the talk-server package decreases the
risk of the accidental (or intentional) activation of talk services. |
OVAL test results detailspackage talk-server is removed
oval:ssg-test_package_talk-server_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_talk-server_removed:obj:1 of type
rpminfo_object
Uninstall talk Packagexccdf_org.ssgproject.content_rule_package_talk_removed mediumCCE-80848-5
Uninstall talk Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_talk_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_talk_removed:def:1 |
| Time | 2023-11-02T08:32:30+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80848-5 References:
BP28(R1), 2.3.3, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 2.2.4 |
| Description | The talk package contains the client program for the
Internet talk protocol, which allows the user to chat with other users on
different systems. Talk is a communication program which copies lines from one
terminal to the terminal of another user.
The talk package can be removed with the following command:
$ sudo yum erase talk |
| Rationale | The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the talk package decreases the
risk of the accidental (or intentional) activation of talk client program. |
OVAL test results detailspackage talk is removed
oval:ssg-test_package_talk_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_talk_removed:obj:1 of type
rpminfo_object
Uninstall telnet-server Packagexccdf_org.ssgproject.content_rule_package_telnet-server_removed highCCE-82182-7
Uninstall telnet-server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_telnet-server_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_telnet-server_removed:def:1 |
| Time | 2023-11-02T08:32:30+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-82182-7 References:
BP28(R1), 2.2.16, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-2.2.2, 2.2.4, SRG-OS-000095-GPOS-00049, RHEL-08-040000, SV-230487r627750_rule |
| Description | The telnet-server package can be removed with the following command:
$ sudo yum erase telnet-server |
| Rationale | It is detrimental for operating systems to provide, or install by default,
functionality exceeding requirements or mission objectives. These
unnecessary capabilities are often overlooked and therefore may remain
unsecure. They increase the risk to the platform by providing additional
attack vectors.
The telnet service provides an unencrypted remote access service which does
not provide for the confidentiality and integrity of user passwords or the
remote session. If a privileged user were to login using this service, the
privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the
telnet service's accidental (or intentional) activation. |
OVAL test results detailspackage telnet-server is removed
oval:ssg-test_package_telnet-server_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_telnet-server_removed:obj:1 of type
rpminfo_object
Remove telnet Clientsxccdf_org.ssgproject.content_rule_package_telnet_removed lowCCE-80849-3
Remove telnet Clients
| Rule ID | xccdf_org.ssgproject.content_rule_package_telnet_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_telnet_removed:def:1 |
| Time | 2023-11-02T08:32:30+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-80849-3 References:
BP28(R1), 2.3.4, 3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3, 2.2.4 |
| Description | The telnet client allows users to start connections to other systems via
the telnet protocol. |
| Rationale | The telnet protocol is insecure and unencrypted. The use
of an unencrypted transmission medium could allow an unauthorized user
to steal credentials. The ssh package provides an
encrypted session and stronger security and is included in Red Hat Enterprise Linux 8. |
OVAL test results detailspackage telnet is removed
oval:ssg-test_package_telnet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_telnet_removed:obj:1 of type
rpminfo_object
Disable telnet Servicexccdf_org.ssgproject.content_rule_service_telnet_disabled highCCE-80887-3
Disable telnet Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_telnet_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_telnet_disabled:def:1 |
| Time | 2023-11-02T08:32:31+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80887-3 References:
1, 11, 12, 14, 15, 16, 3, 5, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.13, 3.4.7, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, PR.IP-1, PR.PT-3, PR.PT-4 |
| Description | Make sure that the activation of the telnet service on system boot is disabled.
The telnet socket can be disabled with the following command:
$ sudo systemctl mask --now telnet.socket |
| Rationale | The telnet protocol uses unencrypted network communication, which means that data from the
login session, including passwords and all other information transmitted during the session,
can be stolen by eavesdroppers on the network. The telnet protocol is also subject to
man-in-the-middle attacks. |
| Warnings | warning
If the system relies on xinetd to manage telnet sessions, ensure the telnet service
is disabled by the following line: disable = yes. Note that the xinetd file for
telnet is not created automatically, therefore it might have different names. |
OVAL test results detailspackage telnet-server is removed
oval:ssg-test_service_telnet_package_telnet-server_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_telnet_package_telnet-server_removed:obj:1 of type
rpminfo_object
Test that the telnet service is not running
oval:ssg-test_service_not_running_telnet:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_telnet:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^telnet\.(service|socket)$ | ActiveState |
Test that the property LoadState from the service telnet is masked
oval:ssg-test_service_loadstate_is_masked_telnet:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_telnet:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^telnet\.(service|socket)$ | LoadState |
Disable Quagga Servicexccdf_org.ssgproject.content_rule_service_zebra_disabled mediumCCE-80889-9
Disable Quagga Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_zebra_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_zebra_disabled:def:1 |
| Time | 2023-11-02T08:32:33+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80889-9 References:
12, 15, 8, APO13.01, DSS05.02, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-7(a), CM-7(b), CM-6(a), PR.PT-4, SRG-OS-000480-GPOS-00227 |
| Description |
The zebra service can be disabled with the following command:
$ sudo systemctl mask --now zebra.service |
| Rationale | Routing protocol daemons are typically used on routers to exchange network
topology information with other routers. If routing daemons are used when not
required, system network information may be unnecessarily transmitted across
the network. |
OVAL test results detailspackage quagga is removed
oval:ssg-test_service_zebra_package_quagga_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_zebra_package_quagga_removed:obj:1 of type
rpminfo_object
Test that the zebra service is not running
oval:ssg-test_service_not_running_zebra:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_zebra:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^zebra\.(service|socket)$ | ActiveState |
Test that the property LoadState from the service zebra is masked
oval:ssg-test_service_loadstate_is_masked_zebra:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_zebra:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^zebra\.(service|socket)$ | LoadState |
Disable Host-Based Authenticationxccdf_org.ssgproject.content_rule_disable_host_auth mediumCCE-80786-7
Disable Host-Based Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_disable_host_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disable_host_auth:def:1 |
| Time | 2023-11-02T08:32:33+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80786-7 References:
5.2.8, 11, 12, 14, 15, 16, 18, 3, 5, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-3, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3, FIA_UAU.1, 8.3.1, SRG-OS-000480-GPOS-00229 |
| Description | SSH's cryptographic host-based authentication is
more secure than .rhosts authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
The default SSH configuration disables host-based authentication. The appropriate
configuration is used if no value is set for HostbasedAuthentication.
To explicitly disable host-based authentication, add or correct the
following line in
/etc/ssh/sshd_config:
HostbasedAuthentication no |
| Rationale | SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts. |
|
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_disable_host_auth:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_host_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of HostbasedAuthentication is present
oval:ssg-test_HostbasedAuthentication_present_disable_host_auth:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_disable_host_auth:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_disable_host_auth:obj:1
|
Allow Only SSH Protocol 2xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 highCCE-80894-9
Allow Only SSH Protocol 2
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_allow_only_protocol2:def:1 |
| Time | 2023-11-02T08:32:33+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80894-9 References:
NT007(R1), 1, 12, 15, 16, 5, 8, 5.5.6, APO13.01, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.13, 3.5.4, CCI-000197, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 0487, 1449, 1506, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, CM-6(a), AC-17(a), AC-17(2), IA-5(1)(c), SC-13, MA-4(6), PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, PR.PT-4, SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227 |
| Description | Only SSH protocol version 2 connections should be
permitted. The default setting in
/etc/ssh/sshd_config is correct, and can be
verified by ensuring that the following
line appears:
Protocol 2 |
| Rationale | SSH protocol version 1 is an insecure implementation of the SSH protocol and
has many well-known vulnerability exploits. Exploits of the SSH daemon could provide
immediate root access to the system. |
| Warnings | warning
As of openssh-server version 7.4 and above, the only protocol
supported is version 2, and line Protocol 2 in
/etc/ssh/sshd_config is not necessary. |
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
OpenSSH is version 7.4 or higher
oval:ssg-test_openssh-server_version:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
sshd uses protocol 2
oval:ssg-test_sshd_allow_only_protocol2:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-object_sshd_allow_only_protocol2:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$ | 1 |
Disable Compression Or Set Compression to delayedxccdf_org.ssgproject.content_rule_sshd_disable_compression mediumCCE-80895-6
Disable Compression Or Set Compression to delayed
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_compression |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_compression:def:1 |
| Time | 2023-11-02T08:32:33+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80895-6 References:
11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, SRG-OS-000480-GPOS-00227 |
| Description | Compression is useful for slow network connections over long
distances but can cause performance issues on local LANs. If use of compression
is required, it should be enabled only after a user has authenticated; otherwise,
it should be disabled. To disable compression or delay compression until after
a user has successfully authenticated, add or correct the following line in the
/etc/ssh/sshd_config file:
Compression no |
| Rationale | If compression is allowed in an SSH connection prior to authentication,
vulnerabilities in the compression software could result in compromise of the
system from an unauthenticated connection, potentially with root privileges. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
tests the value of Compression setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_compression:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_compression:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)Compression(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords highCCE-80896-4
Disable SSH Access via Empty Passwords
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_empty_passwords:def:1 |
| Time | 2023-11-02T08:32:33+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80896-4 References:
NT007(R17), 5.2.9, 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, 5.5.6, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 3.1.1, 3.1.5, CCI-000366, CCI-000766, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_UAU.1, Req-2.2.4, 2.2.6, SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00227, RHEL-08-020330, SV-230380r858715_rule |
| Description | Disallow SSH login with empty passwords.
The default SSH configuration disables logins with empty passwords. The appropriate
configuration is used if no value is set for PermitEmptyPasswords.
To explicitly disallow SSH login from accounts with empty passwords,
add or correct the following line in
/etc/ssh/sshd_config:
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration
should prevent users from being able to assign themselves empty passwords. |
| Rationale | Configuring this setting for the SSH daemon provides additional assurance
that remote login via SSH will require a password, even in the event of
misconfiguration elsewhere. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_empty_passwords:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_empty_passwords:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of PermitEmptyPasswords is present
oval:ssg-test_PermitEmptyPasswords_present_sshd_disable_empty_passwords:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_disable_empty_passwords:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_disable_empty_passwords:obj:1
|
Disable GSSAPI Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth mediumCCE-80897-2
Disable GSSAPI Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_gssapi_auth:def:1 |
| Time | 2023-11-02T08:32:33+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80897-2 References:
11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, 0418, 1055, 1402, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-7(a), CM-7(b), CM-6(a), AC-17(a), PR.IP-1, FTP_ITC_EXT.1, FCS_SSH_EXT.1.2, SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227, RHEL-08-010522, SV-244528r858709_rule |
| Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI.
The default SSH configuration disallows authentications based on GSSAPI. The appropriate
configuration is used if no value is set for GSSAPIAuthentication.
To explicitly disable GSSAPI authentication, add or correct the following line in
/etc/ssh/sshd_config:
GSSAPIAuthentication no |
| Rationale | GSSAPI authentication is used to provide additional authentication mechanisms to
applications. Allowing GSSAPI authentication through SSH exposes the system's
GSSAPI to remote hosts, increasing the attack surface of the system. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_gssapi_auth:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_gssapi_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of GSSAPIAuthentication is present
oval:ssg-test_GSSAPIAuthentication_present_sshd_disable_gssapi_auth:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_disable_gssapi_auth:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_disable_gssapi_auth:obj:1
|
Disable Kerberos Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth mediumCCE-80898-0
Disable Kerberos Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_kerb_auth:def:1 |
| Time | 2023-11-02T08:32:33+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80898-0 References:
11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, FTP_ITC_EXT.1, FCS_SSH_EXT.1.2, SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227, RHEL-08-010521, SV-230291r858707_rule |
| Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos.
The default SSH configuration disallows authentication validation through Kerberos.
The appropriate configuration is used if no value is set for KerberosAuthentication.
To explicitly disable Kerberos authentication, add or correct the following line in
/etc/ssh/sshd_config:
KerberosAuthentication no |
| Rationale | Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos
is enabled through SSH, the SSH daemon provides a means of access to the
system's Kerberos implementation.
Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_kerb_auth:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_kerb_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of KerberosAuthentication is present
oval:ssg-test_KerberosAuthentication_present_sshd_disable_kerb_auth:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_disable_kerb_auth:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_disable_kerb_auth:obj:1
|
Disable SSH Root Loginxccdf_org.ssgproject.content_rule_sshd_disable_root_login mediumCCE-80901-2
Disable SSH Root Login
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_root_login |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_root_login:def:1 |
| Time | 2023-11-02T08:32:33+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80901-2 References:
BP28(R19), NT007(R21), 5.2.7, 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.6, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.1.5, CCI-000366, CCI-000770, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-6(2), AC-17(a), IA-2, IA-2(5), CM-7(a), CM-7(b), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, FAU_GEN.1, Req-2.2.4, 2.2.6, SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227, SRG-APP-000148-CTR-000335, SRG-APP-000190-CTR-000500, RHEL-08-010550, SV-230296r858711_rule |
| Description | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in
/etc/ssh/sshd_config:
PermitRootLogin no |
| Rationale | Even though the communications channel may be encrypted, an additional layer of
security is gained by extending the policy of not logging directly on as root.
In addition, logging in with a user-specific account provides individual
accountability of actions performed on the system and also helps to minimize
direct attack attempts on root's password. |
| Warnings | warning
This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable.
RHV hosts require root access to be managed by RHV Manager. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_root_login:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_root_login:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of PermitRootLogin is present
oval:ssg-test_PermitRootLogin_present_sshd_disable_root_login:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_disable_root_login:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_disable_root_login:obj:1
|
Do Not Allow SSH Environment Optionsxccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env mediumCCE-80903-8
Do Not Allow SSH Environment Options
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_do_not_permit_user_env:def:1 |
| Time | 2023-11-02T08:32:33+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80903-8 References:
5.2.10, 11, 3, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, Req-2.2.4, 2.2.6, SRG-OS-000480-GPOS-00229, RHEL-08-010830, SV-230330r877377_rule |
| Description | Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate
configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following
/etc/ssh/sshd_config:
PermitUserEnvironment no |
| Rationale | SSH environment options potentially allow users to bypass
access restriction in some configurations. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_do_not_permit_user_env:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_do_not_permit_user_env:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of PermitUserEnvironment is present
oval:ssg-test_PermitUserEnvironment_present_sshd_do_not_permit_user_env:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_do_not_permit_user_env:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_do_not_permit_user_env:obj:1
|
Enable Use of Strict Mode Checkingxccdf_org.ssgproject.content_rule_sshd_enable_strictmodes mediumCCE-80904-6
Enable Use of Strict Mode Checking
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_enable_strictmodes:def:1 |
| Time | 2023-11-02T08:32:33+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80904-6 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6, AC-17(a), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010500, SV-230288r858701_rule |
| Description | SSHs StrictModes option checks file and ownership permissions in
the user's home directory .ssh folder before accepting login. If world-
writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes enabled. The appropriate
configuration is used if no value is set for StrictModes.
To explicitly enable StrictModes in SSH, add or correct the following line in
/etc/ssh/sshd_config:
StrictModes yes |
| Rationale | If other users have access to modify user-specific SSH configuration files, they
may be able to log into the system as another user. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
tests the value of StrictModes setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_enable_strictmodes:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_strictmodes:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)StrictModes(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of StrictModes is present
oval:ssg-test_StrictModes_present_sshd_enable_strictmodes:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_enable_strictmodes:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_enable_strictmodes:obj:1
|
Enable SSH Warning Bannerxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner mediumCCE-80905-3
Enable SSH Warning Banner
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_enable_warning_banner:def:1 |
| Time | 2023-11-02T08:32:33+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80905-3 References:
1, 12, 15, 16, 5.5.6, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), AC-17(a), CM-6(a), PR.AC-7, FTA_TAB.1, Req-2.2.4, 2.2.6, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010040, SV-230225r858694_rule |
| Description | To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in
/etc/ssh/sshd_config:
Banner /etc/issue
Another section contains information on how to create an
appropriate system-wide warning banner. |
| Rationale | The warning message reinforces policy awareness during the logon process and
facilitates possible legal action against attackers. Alternatively, systems
whose ownership should not be obvious should ensure usage of a banner that does
not provide easy attribution. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 19.el8_8 | 8.0p1 | 0:8.0p1-19.el8_8 | 199e2f91fd431d51 | openssh-server-0:8.0p1-19.el8_8.x86_64 |
tests the value of Banner setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_enable_warning_banner:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_warning_banner:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of Banner is present
oval:ssg-test_Banner_present_sshd_enable_warning_banner:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_enable_warning_banner:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_enable_warning_banner:obj:1
|
Scroll back to the first rule